#094

EU's Pegasus investigator got hacked with Pegasus, solo founder hit $1M ARR on zero marketing

The EU politician investigating Pegasus spyware was himself hacked by Pegasus. A solo founder hit $1M ARR in 9 months with zero marketing. Mistral scored 100%.

The EU politician investigating Pegasus spyware got hacked with Pegasus. Stelios Kouloglou, a Greek journalist and MEP sitting on the PEGA Committee (the body created to investigate spyware abuses), had his iPhone infected twice while the committee was still operating. Citizen Lab confirmed both infections and identified the specific exploit chain used.

The committee published its final report calling for an EU spyware moratorium. The European Commission mostly ignored it. Now we know the investigators themselves were compromised while drafting those recommendations.

In today’s indie hacker news:

  • EU’s spyware investigator hacked by the spyware he was investigating
  • Solo founder hits $1M ARR in 9 months, $0 marketing, one Claude prompt
  • Mistral’s 6.5B model scores 100% on miniF2F, finds real bugs in repos
  • Bitcoin Core dev publishes $51K local LLM blueprint at 80 tok/s
  • ProseMirror creator ships Wordgard, a ground-up successor after 9 years

Top Stories

THE SPY HUNTER GOT HUNTED

EU’s spyware investigator was hacked with Pegasus while on the committee

EU's spyware investigator was hacked with Pegasus while on the committee

The story: Citizen Lab confirmed that Stelios Kouloglou, a Greek investigative journalist and former MEP, had his iPhone compromised with NSO Group’s Pegasus spyware on October 21, 2022 and again on March 6-7, 2023. Both infections happened while he was serving on the PEGA Committee, the European Parliament body created specifically to investigate Pegasus abuses across EU member states.

The details:

  • The exploit was PWNYOURHOME, a zero-click attack targeting HomeKit. No link, no interaction, no user error.
  • Kouloglou’s phone held 15 years of data including messages with prime ministers. The spyware likely captured non-public committee information.
  • Citizen Lab found infrastructure overlap between Kouloglou’s infection and a campaign targeting Russian and Belarusian-speaking exiled journalists in Europe.
  • Apple sent him three mercenary spyware threat notifications starting March 2023, months after the first infection.
  • Citizen Lab says it found “no indications that the Greek Government is responsible,” though Kouloglou himself believes Greece is behind it.

Why builders care: Standard security hygiene (strong passwords, avoiding suspicious links) offers no protection against exploits like this. If you’re building products that handle sensitive data, your threat model now has to account for silent compromise with no user interaction at all.


$0 MARKETING, $1M RECEIPTS

Solo founder hits $1M ARR in 9 months with zero ad spend and one Claude prompt for SEO

Solo founder hits $1M ARR in 9 months

The story: A solo founder going by TRO_KIK on r/SaaS posted Stripe-verified revenue showing $969K all-time and $93K MRR with 4,658 active subscribers. The product is a B2C entertainment app. Marketing spend: $0. The entire SEO strategy: asking Claude to “do some SEO stuff idk.” The post hit #1 on r/SaaS.

The details:

  • TrustMRR verification confirms $969K Stripe revenue and $93K MRR. PayPal revenue not reflected, so total exceeds what’s shown.
  • The founder offered a free open-source version for two years before monetizing, building community trust and niche authority.
  • Google Search Console shows 3,500 clicks per day with minimal SEO effort, suggesting high-intent demand in an underserved niche.
  • An early-mover competitor with a university degree and larger funnel “was destitute for much of the company’s run.” TRO_KIK passed their revenue in month one.
  • Stack: Svelte, Java, AWS, PostgreSQL, Stripe, and PayPal.

Why builders care: The sequencing matters more than the marketing. Two years of free, open-source community building created the trust that converted to paying subscribers with zero paid acquisition. Google did the distribution for a product that solved a real search-hungry niche.


100% ON THE MATH TEST

Mistral’s Leanstral 1.5 saturates miniF2F and finds real bugs in open-source repos

Mistral's Leanstral 1.5 saturates miniF2F

The story: Mistral released Leanstral 1.5, a Lean 4 formal proof model under Apache-2.0. It scored 100% on both the miniF2F validation and test sets, the first model to fully saturate this benchmark. The MoE architecture runs 6.5B active parameters per token (119B total), keeping inference costs close to a small dense model.

The details:

  • Solved 587 of 672 PutnamBench problems at ~$4 per problem. Frontier models cost $300+ per problem for comparable performance.
  • On FLTEval (real proof-engineering tasks), it scored 43.2 pass@8, beating Claude Opus 4.6’s 39.6 at one-seventh the cost.
  • Across 57 real open-source repositories, it flagged 47 violated properties and 11 genuine bugs. Five were previously unreported on GitHub.
  • Free API via Mistral Labs (model ID: labs-leanstral-1-5) and open weights on HuggingFace.

Why builders care: Point it at a repo and have it generate Lean 4 specifications. At $4 per hard proof vs. $300+ for frontier models, teams doing cryptography, protocol verification, or safety-critical systems can afford formal verification at scale for the first time.


$51K, NO API

Bitcoin Core dev publishes the complete blueprint to run frontier LLMs locally

Bitcoin Core dev's local LLM blueprint

The story: James O’Beirne (jamesob), a Bitcoin Core developer, published a fully reproducible build guide for running frontier LLMs locally. The top tier: 4x RTX PRO 6000 Blackwell GPUs (384GB VRAM) running GLM-5.2 at ~80 tokens/second. He spent $46K on GPUs and $5.5K on eBay-sourced AMD EPYC parts for the base system.

The details:

  • Two tiers: a $2K build (2x RTX 3090, 48GB VRAM) running Qwen3.6-27B, and the $51K flagship running GLM-5.2 (62.1 on SWE-bench Pro, beating GPT-5.5’s 58.6).
  • Critical kernel fix documented: without iommu=off amd_iommu=off in GRUB, NCCL hangs on multi-GPU communication. The guide includes exact BIOS settings, kernel parameters, and Docker Compose files.
  • A $1,330 Microchip Switchtec PCIe switch delivers near-NVLink GPU-to-GPU bandwidth at 27.5 GB/s.
  • Philosophy: dump money into VRAM (where it counts), buy last-gen base hardware on eBay, cap GPUs at 350W to run on a standard circuit.

Why builders care: The $2K tier is the actionable one for most indie hackers. Models that cost $500+/month in API fees run privately at near-zero marginal cost. If you handle sensitive user data (health, legal, finance), the privacy argument is now cost-neutral.


SIXTH TIME’S THE CHARM

ProseMirror creator Marijn Haverbeke ships Wordgard, a ground-up successor

Wordgard: ProseMirror successor

The story: Marijn Haverbeke, author of ProseMirror, CodeMirror, and “Eloquent JavaScript,” released Wordgard 0.1, a new MIT-licensed rich-text editor built from scratch. It’s his sixth non-trivial editor implementation, incorporating nine years of lessons since stabilizing ProseMirror. There is no migration path from ProseMirror by design.

The details:

  • Architecture borrows CodeMirror 6’s facet-based extension system instead of ProseMirror’s plugin model.
  • Replaces ProseMirror’s step-based changes (which Haverbeke called “seriously awkward to work with”) with a delta system using keep/replace/update sections.
  • Collaborative editing is a first-class primitive, not a bolt-on plugin.
  • Carries a 0% AI badge. Pull requests are not accepted. Code lives on Haverbeke’s self-hosted Forgejo instance.

Why builders care: ProseMirror powers editors at Atlassian, the New York Times, and Asana. Tiptap built a whole business on top of it. Wordgard is what happens when the creator of the foundation decides the foundation had the wrong shape. Early adopters who build on 0.x can shape the API before it hardens.


🔥 Local LLMs pass the vibe-coding bar. A r/LocalLLaMA user ran Qwen3.6-27b-mtp-q8 through Claude Code locally and had it autonomously build A* pathfinding for a Java game over 12 hours. No manual coding. Meanwhile, Wafer.ai benchmarked GLM5.2 on AMD MI355X at 2,626 tok/s per node, reaching 80% of Blackwell throughput at half the cost.

🔥 Palantir CEO slams enterprise “tokenmaxxing.” Alex Karp told CNBC that companies are “paying for tokens that create no value” and released a 9-point AI sovereignty manifesto urging businesses to own their data instead of piping it to frontier labs. r/artificial is split. Palantir stock rose 8% on the day.

🔥 AI coding tools spawn new peripherals. A builder wired a desk lamp to Claude Code via BLE: navy when working, orange when idle, purple when waiting for input. Meanwhile, mcpsnoop shipped a Wireshark-style TUI for MCP traffic (52 HN pts), and ctx indexes your past Claude Code sessions into searchable local SQLite (64 HN pts).


First Dollar

THE MORNING STOIC CONVERTS

First paying customer for a Stoic quotes app, earned while out running

A solo dev built Dawnstone, a daily Stoic quotes app (Marcus Aurelius, Seneca, Epictetus) with an iPhone Lock Screen widget and morning email delivery. Weeks of manual marketing work produced zero revenue. Then a stranger on the other side of the planet bought the Lifetime unlock while the builder was out for a run. The r/SideProject post hit #3 hot. The first dollar always lands when you stop watching the dashboard.


Drama

RAGE-CODING MEETS RAGE-FARMING

Odin, Wikipedia, and the art of performative outrage

The Odin programming language’s Wikipedia article was deleted in March for lacking “reliable sources.” Creator GingerBill and Casey Muratori called Wikipedia an “ideological playground gatekept by activists.” A detailed analysis by katamari argues the outrage was performative: GingerBill simultaneously claimed indifference while fighting extensively, and shifted tone for larger audiences (like Jimmy Wales). The HN thread (65 pts, 77 comments) generated more heat than light.

Why builders care: Wikipedia notability matters for brand SEO. If your project gets deleted, the worst move is inflammatory tweets. The best move is getting cited in independent coverage first.


Stack of the Day

🔧 mcpsnoop

Wireshark for MCP. A transparent proxy TUI that sits in the stdio pipe between your AI client (Claude Desktop, Cursor, Claude Code) and MCP servers. Shows every JSON-RPC request and response live with color coding. Hung calls display PENDING with a timer. Calls can be filtered and replayed. Free, open-source, TUI-based. 52 HN points.

Not sponsored. We just feature tools builders would actually use.


Bookmarked Today

🔖 SearXNG - Self-hostable metasearch engine aggregating 70+ search sources. No tracking, no ads, no API costs. 158 HN points. Builders can drop it behind a private search endpoint.

🔖 Open Source AI Gap Map - Simon Willison highlights Current AI’s map of gaps in the open-source AI stack. Good reference if you’re deciding what to build next.

🔖 NoUploadTools - Curated directory of free, no-login, privacy-first web tools. No file uploads leave your browser. #2 on r/microsaas. Useful both as a reference and as inspiration for building privacy-respecting SaaS.


Curated by AI, built by a human.