Why There’s No Such Thing as a Threema User Account

Hand holding a keyring with a key and the Threema icon.

Several recent news reports have sparked discussion in the IT community and raised questions among some of our users. One topic is the view that paid online services are incompatible with anonymity – and therefore with strong data protection. Another is the risk of user accounts being hijacked through identity spoofing, which current events have brought back into focus.

Anonymity and Paid Online Services

As reported in the media, a Swiss email service recently handed over data associated with one of its user accounts following a legal request. Since this data included credit card information, which contains personal details, the authorities were able to determine the identity of the user in question.

Threema is also a paid online service. However, rather than paying for a user account, Threema users pay for the software. A Threema ID can only be created within the app after it has been purchased and downloaded. Since payment details are not present in the app, linking such information to a user’s Threema ID is not possible.

If Threema is purchased via Apple’s App Store or Google Play, we as the app developer have no knowledge of the payment details. Apple and Google, in turn, have no knowledge of the Threema ID generated and used in the app.

Therefore, the payment details used to purchase the app cannot be inferred from a Threema ID. To find out which inventory data is stored on the server and associated with their ID, Threema users can send “info” to *MY3DATA.

Hijacking User Accounts

Earlier this week, the Dutch intelligence services MIVD and AIVD warned of a large-scale cyberespionage campaign. Apparently, Russian state actors are attempting to hijack Signal and WhatsApp accounts of high-ranking military personnel and government officials.

In these phishing attacks, a contact posing as an official support bot instructs the target to provide their verification code for “security reasons.” If the target complies, the attacker can immediately take over the corresponding user account.

Another incident, where members of the US government accidentally added a journalist to a highly sensitive group chat, has already demonstrated that military information exchange requires dedicated communication solutions and should never be conducted via messaging services intended for personal use.

In Threema Private, Threema Work, and Threema OnPrem, the following mechanisms make such attacks more difficult or prevent them altogether:

  1. Verification levels indicate the type of contact a user is dealing with: unknown, known, or verified. If an unknown contact attempts to impersonate Threema Support, the incorrect verification level will reveal this (one red dot). Threema’s official support ID (*SUPPORT) is a verified contact with three green dots.

  2. Closed user groups allow administrators in Threema Work to restrict communication to internal contacts. This means users can only communicate with other members of the same Threema Work subscription, and it’s generally not possible for third parties to contact internal users and impersonate a support chatbot.

  3. Self-hosting: With Threema OnPrem, organizations can run the chat service on their own servers, retaining full control over all aspects of the communication solution. In such isolated environments, communication is always limited to internal contacts, rendering phishing attacks of this kind impossible from the outset.

What’s the difference between a Threema ID and traditional user accounts?

In light of these news reports, a subtle yet important conceptual difference between Threema and conventional online services becomes apparent.

With traditional online services, users create an account on the server when they first sign up. They then access this account using a username and a password of their choice. Often, the username is simply the user’s email address or phone number. If a user forgets their password, they can typically reset it via the email address or phone number associated with their account.

Most conventional messengers use the phone number as username. Therefore, when using the service for the first time or switching to a new device, users receive a confirmation text message to sign in with their phone number.

With Threema, however, each user generates a random Threema ID when launching the app for the first time. This ID is an eight-character string with no inherent connection to its owner. Although linking the Threema ID to a phone number is possible, it is optional, which allows for anonymous use.

Even if a phone number is linked to a Threema ID, the ID itself cannot be recovered using the phone number. If a Threema ID has not been backed up by its owner outside of the device, it cannot be recovered if the device is lost.

The obvious downside is that the only option when losing the phone is to generate a new ID. However, this approach offers a significant security advantage: third parties simply cannot gain access to a user’s identity the way they can using the phishing attack described above.

It’s also important to note that SMS is a questionable channel for identity verification since the mobile network is generally unencrypted. In countries where the telco infrastructure has to be considered compromised, state actors can potentially hijack user accounts by intercepting verification text messages.

If you wish to protect your Threema ID from unauthorized access and at the same time don’t want to risk losing it, a good idea is to create an encrypted ID export (e.g., in the form of a printed QR code) and store it in a safe place or to create a Threema Safe backup (optionally on your own server).

Follow us

Threema

Made in Switzerland © 2026 Threema GmbH.

swiss made software + swiss hosting swiss digital services Association for Corporate Data Protection