Darkbloom: Private AI Inference on Idle Macs
Table of contents
There are over 100 million Apple Silicon Macs in the world. Most of them sit idle for 16+ hours a day. Each one has a unified memory architecture, a Metal-capable GPU, and enough bandwidth to run a 27-billion-parameter model at 100 tokens per second.
Eigen Labs looked at that and saw an untapped inference cluster. This week they shipped Darkbloom, a decentralized network that routes AI inference requests to idle Macs. The provider runs a hardened process on their machine. The consumer sends encrypted prompts. The machine owner never sees the data.
That is the claim. Let us see if the architecture holds.
The Core Problem
Decentralized inference has a fundamental trust problem. The person running the hardware has root access and physical custody of the machine. They can attach debuggers, read process memory, intercept network traffic, and modify binaries. Every other decentralized compute network either ignores this problem or punts it to hardware Trusted Execution Environments (TEEs) like Intel SGX or AMD SEV.
Macs do not have TEEs for third-party code. There is no SGX equivalent on Apple Silicon. So Eigen Labs had to invent a different approach.
Software Access Path Elimination
The research paper introduces what they call "Software Access Path Elimination." Instead of relying on a hardware enclave, they systematically eliminate every software path through which the operator could observe inference data.
The inference engine runs directly inside a single hardened process. No subprocess. No local server. No inter-process communication. Everything happens in one address space.
Then they lock that process down at the OS level:
- PT_DENY_ATTACH: A macOS kernel flag that prevents any debugger from attaching to the process. Once set, it cannot be reversed without killing the process.
- Hardened Runtime: Blocks memory-reading APIs, code injection, and dynamic library loading. The process cannot be inspected through any standard macOS developer tool.
- System Integrity Protection (SIP): The paper proves (Theorem 1) that SIP, once verified at process launch, is immutable for the process lifetime. Disabling SIP requires rebooting into Recovery Mode, which terminates the process and erases its data.
The key insight: you cannot disable these protections without rebooting, and rebooting kills the process. The security guarantee is tied to the process lifetime, not to the hardware.
The Attestation Chain
Locking down one process is not enough. The consumer needs proof that the process they are talking to is actually the hardened binary, not a modified version.
Darkbloom implements a four-layer attestation chain:
- Secure Enclave identity: Each Mac generates a P-256 key pair inside Apple's Secure Enclave. The private key never leaves the hardware. This gives every node a hardware-bound cryptographic identity.
- Apple-signed certificates: The Secure Enclave key is signed by Apple's certificate chain, tracing back to Apple's root CA. This proves the key was generated on genuine Apple hardware.
- Binary attestation: The hash of the running inference binary is attested by the Secure Enclave. If the binary is modified, the attestation fails.
- MDM enrollment verification: The machine's enrollment status and configuration are verified against a management profile.
Challenge-response verification runs every 5 minutes. If any layer fails, the node is removed from the network.
What It Actually Runs
The network currently supports:
- Gemma 4 26B (8-bit MoE) at $0.03-0.20 per million tokens
- Qwen3.5 122B MoE (10B active parameters) at $0.13-1.04 per million tokens
- MiniMax M2.5 (239B MoE, 11B active) at $0.06-0.50 per million tokens
- Cohere Transcribe for speech-to-text at $0.001/minute
The API is OpenAI-compatible. Change your base URL and your existing SDK calls route through the network. Streaming, function calling, and the Anthropic Messages API are all supported.
Pricing claims 50-70% below Azure OpenAI and AWS Bedrock. The economics work because there is no data center: the hardware already exists, the electricity cost is $0.01-0.03/hour, and providers keep 100% of inference revenue.
What Raises Red Flags
The concept is strong. The execution has gaps.
No hardware enclave. The entire security model rests on macOS kernel protections, not hardware isolation. Security researchers on Hacker News noted that Apple does not offer DCAppAttest on macOS (only iOS). Without a true hardware enclave, a sufficiently motivated attacker with physical access and a custom kernel could potentially bypass the protections.
Self-reported binary hashes. The attestation model relies on the node reporting its own binary hash. A modified binary could report the hash of the legitimate binary. The Secure Enclave signs whatever it is asked to sign; it does not independently verify binary integrity at the level of Intel SGX's measurement.
21 machines. At the time of writing, the network has 78 providers but receives minimal inference traffic. The earnings projections ($800-1,100/month for a Mac Studio) assume utilization rates that do not currently exist. As one commenter noted: if payback periods are really 2-4 months, Eigen Labs would just buy the hardware themselves.
Unaudited. The project explicitly warns it has not been security audited and should be used only for testing. For a system whose entire value proposition is privacy, this is a significant caveat.
Notarization gaps. The inference binary is not Apple-notarized. The Python runtime is downloaded from Cloudflare. Multiple users reported setup failures for image and audio models.
Why It Matters Anyway
Despite the gaps, the underlying thesis is important.
The inference market is where the action is. Training requires massive GPU clusters. Inference does not. A Mac Studio with 192GB of unified memory can run a 120B parameter model. The hardware exists in enormous quantities. The question has always been trust, not compute.
Software Access Path Elimination is a novel approach. Whether or not Darkbloom's specific implementation survives scrutiny, the idea of systematically eliminating observation paths instead of relying on hardware enclaves is worth studying. It is a different security paradigm.
The economics could work at scale. If the trust model is validated and demand materializes, the cost structure is genuinely disruptive. No data center capex. No cooling infrastructure. No GPU procurement. Just millions of machines that already exist, owned by people who would happily rent idle cycles for $30-50/month.
It reframes what a "cloud" is. The traditional cloud is someone else's data center. Darkbloom proposes that the cloud is someone else's laptop. If privacy can be guaranteed, there is no technical reason inference needs to happen in a centralized facility.
The Verdict
Darkbloom is a research prototype solving a real problem with an interesting but unproven approach. The Software Access Path Elimination concept is the most technically novel part. The Apple Silicon targeting is smart because the hardware is powerful, plentiful, and has kernel-level protections that other consumer platforms lack.
But the security model has known gaps that a hardware enclave would solve. The attestation model has a self-reporting problem. The network has negligible utilization. And the entire system is unaudited.
This is worth watching, not worth trusting with production data. Yet. If Eigen Labs can get an independent security audit and Apple eventually ships macOS attestation equivalent to iOS DCAppAttest, the calculus changes entirely.
The paper is at github.com/Layr-Labs/d-inference. The network is live at darkbloom.dev.