A thought experiment that became a prototype: what if a whistleblower platform had no server at all? No server to seize. No nonprofit to pressure. No identity to leak.
GhostDrop protects sources by centralising trust in a news organisation’s infrastructure. That infrastructure can be subpoenaed, raided, or pressured. The nonprofit can be defunded. The server is a single point of failure dressed up as security.
GhostDrop rebuilds the problem from first principles. Anonymous submission over Logos Messaging gossip — your IP never reaches the outlet directly. ECIES encryption to the outlet’s secp256k1 key before the document leaves the browser. Permanent storage on Logos Storage, content-addressed and replicated. Tamper-evident anchoring on Logos Blockchain. There is no server to seize because there is no server.
The submission flow is seven steps, all client-side. Upload the file. Scan for metadata. Strip it — pdf-lib for PDFs, Canvas redraw for images, ZIP/XML patch for Office documents. Encrypt with ECIES using the outlet’s public key. Push to the Logos Messaging gossip network via LightPush. Save the 12-word ephemeral claim key. Done.
The outlet receives via Filter subscription, decrypts, reviews, uploads to Logos Storage, and anchors the document hash on-chain. Readers fetch from storage, verify against the blockchain anchor. The chain of custody is cryptographic. No step requires trust in a person or an organisation.
Metadata stripping covers the formats that matter. PDF fields — title, author, subject, keywords, creator, producer, dates, XMP streams. Image EXIF — GPS coordinates, MakerNotes, IPTC, ICC profiles, thumbnails. Office XML — creator, company, revision history, template references. The stripping happens before encryption. What leaves the browser is clean.
The built-in OpSec advisor checks six vectors: Tor Browser detection, WebRTC IP leak scanning, browser fingerprint analysis, device security warnings, printer steganography alerts, and network timing correlation for non-Tor users.
Anonymous tipping works through Logos Blockchain escrow. Readers lock XMR, claimable only by the source’s 12-word ephemeral key. Sources poll the Logos Messaging Store for outlet replies through a back-channel — no persistent connection, no call-home.
The entire application is static files. Build once, deploy anywhere. Logos Messaging connects to the public fleet automatically. Storage and blockchain degrade gracefully to mock mode until local nodes are connected.
Stack: React 18 · Vite 5 · @noble/curves (ECIES) · @waku/sdk · @codex-storage/sdk-js · Logos Blockchain REST · pdf-lib · exifr · fflate Status: Working prototype. Messaging live on public fleet. Storage and blockchain awaiting mainnet. GitHub