SimpleX Chat Leaking User IPs

MykaScoff · June 5, 2025, 3:12am

SimpleX Chat doesn’t take any action to protect your IP from prying eyes. Take a look for yourself:

protocol/overview-tjr.md

stable

Revision 2, 2024-06-22

Evgeny Poberezkin

# SimpleX: messaging and application platform

## Table of contents

- [Introduction](#introduction)
  - [What is SimpleX](#what-is-simplex)
  - [SimpleX objectives](#simplex-objectives)
  - [In Comparison](#in-comparison)
- [Technical Details](#technical-details)
  - [Trust in Servers](#trust-in-servers)
  - [Client -> Server Communication](#client---server-communication)
  - [2-hop Onion Message Routing](#2-hop-onion-message-routing)
  - [SimpleX Messaging Protocol](#simplex-messaging-protocol)
  - [SimpleX Agents](#simplex-agents)
  - [Encryption Primitives Used](#encryption-primitives-used)
- [Threat model](#threat-model)

This file has been truncated. show original

SimpleX Messaging Protocol Server can: … learn a recipient’s IP address, track them through other IP addresses they use to access the same queue, and infer information (e.g. employer) based on the IP addresses, as long as Tor is not used.

More Cases of IP Exposure

This isn’t the only case of SimpleX leaking user IPs when sending a link:

github.com/simplex-chat/simplex-chat

Simplex link previews connects directly to the website when sending links, switch to using SOCKS proxy.

opened 01:10PM - 31 Oct 24 UTC

StuartLitt

enhancement

### Is there an existing issue for this? - [X] I have searched the existing iss…ues ### Platform Android ### OS version Android 12 ### App version 6.1.1 F-Droid ### Current Behavior Proxy enable ![Screenshot_20241031-094615](https://github.com/user-attachments/assets/c6e293af-dc45-4a9c-a903-005aa2bc2fb1) Preview link enable ![Screenshot_20241031-095148](https://github.com/user-attachments/assets/d034ec50-3ca7-48ba-9abb-54f19e2c16f4) Test leak ![Screenshot_20241031-094717](https://github.com/user-attachments/assets/28cbe8f8-de49-4166-b750-4457d759b1c7) Leak detected using RethinkDNS ![Screenshot_20241031-094809](https://github.com/user-attachments/assets/ed6c0cc8-2f85-4481-b8e3-8fe0f7ce60b9) ### Expected Behavior There should be no IP leak, this is a loophole for them to invade your device with zero click, and your network provider and hackers can know the metadata of the conversations. ### Steps To Reproduce 1. Download RethinkDNS 2. Enable Proxy in SimpleX 3. Enable RethinkDNS 4. Send link to SimpleX 5. Leak detected using RethinkDNS ### Relevant log output _No response_

Thankfully, SimpleX’s founder, Evgeny Poberezkin, addressed the issue. However, instead of acknowledging it as a privacy flaw, he labeled it a feature, not a bug:

Given that it is a documented behaviour, it is certainly not a bug, and it is also incorrect to call it a leak - every server you connect to, be it you ISP, VPN provider or Tor relay, can see your IP address, as this is how Internet works.

Instead of resolving the issue, SimpleX suggests users take extra steps to mitigate the risk themselves, such as:

- Using a VPN.
- Disabling link previews manually in settings.

But as one commenter pointed out:

It is important to state that no other messaging app that we know of considers this a non-issue. Not even Discord or Matrix - both ask a fully (Discord) or semi (Matrix)-trusted server to do the network request on behalf of the client.

Strange Justifications for Avoiding Tor Integration

SimpleX further avoids integrating Tor, claiming:

The last, but not the least, it would create an unfair competitive advantage to Tor. We believe in competition, and we want our users to be able to choose which transport overlay network to use, based on what network threat model works best for them.

Rather than embedding Tor, they expect users to set up Orbot manually, arguing that if users can’t manage this, they shouldn’t be using Tor at all.

At this point, users might be better off using Facebook Messenger with PGP keys.

Dismissive Responses to Security Concerns

When users raise concerns, responses often feel dismissive:

https://www.reddit.com/r/SimpleXChat/comments/19efalx/can_i_really_pull_other_peoples_ip_addresses

More comprehensive criticism of SimpleX’s privacy weaknesses:

Examples of user concerns being brushed aside:

Additional Concerns

The company is based in London.
The project has received funding from Jack Dorsey.

Another discussion highlighting these and other issues:
https://kiwifarms.st/threads/simplex-chat-discussion.203000/

Conclusion

I don’t trust SimpleX to protect my IP address. Their dismissive attitude toward privacy concerns raises suspicion.

c0mmando · June 10, 2025, 2:08am

if you’re using an online messenger of any kind and you have any expectation of privacy, then you should probably be using vpns and tor…

you shouldn’t be putting any trust in any entity to protect your IP address for you…

this smells like FUD

MykaScoff · June 30, 2025, 3:05am

I agree with you statement that you can’t trust one entity to protect your ip. SimpleX is a relatively new platform, so over time people will realize this isn’t a magic. Stuff like this, which brings under scrutiny, also brings a more informed choice

KolmogorovComplexity · December 21, 2025, 3:11pm

ip is just one metric, nowaday there is much more important to worry about like deep packets inspections, SNI, client hello and list goes on and on. I still have to familiarize myself with the application. Personally I’m curious about the potential for an attacker to perform exploit / attack while abusing a server or from his user itself. I have yet to fuzz it and fill every possible field with some dingus payload.

maqp · December 25, 2025, 6:27pm

Not really. Personally, I’ve expressed concerns over SimpleX leaking the IP addresses to the server in the linked PrivacyGuides forum.

Any messaging app can be secure, even a completely unencrypted one, IF its threat model, i.e. the effectiveness of (or lack of) security mechanisms against known attacker types, are communicated honestly and openly, and that threat model is trivial to find. Great example is https://tryquiet.org/ that just puts the threat model on header bar.

Now try finding that with SimpleX on your own. Without cheating, you’ll be spending a good while navigating the menus. Solution: Reference → Security → Scroll down to threat model

Indeed, metadata-privacy for IP-anonymization more or less depends on proxies or proxy chains. Tor Onions Services do fantastic work with this considering there’s no way to accidentally deanonymize yourself, no forgotten proxy settings before connecting to server without Tor. If it works at all, you know you’re doing it right. There’s no chance that a lazy contact might bypass Tor because it’s “too slow”, leaving breadcrumbs about other group members if the users know each other in real life.

SimpleX has Onion Service support when you install and enable Tor. But last time I checked, there was zero indication I was actually connecting through Tor. I had to fire up WireShark and do reverse-lookup on the TCP DST IPs to see if they match Tor entry nodes. This is anything but ideal in a tool that can be used without Tor.

But the real issue is with how the program markets itself on the front page. Setting aside the corporate puff of claiming to be the most secure messenger ever, they’ve claimed

Other apps have user IDs: Signal, Matrix, Session, Briar, Jami, Cwtch, etc.
SimpleX does not, not even random numbers.
This radically improves your privacy.

The issue here is claims that SimpleX improves over other messengers. The listed Cwtch is a particular issue, as it’s a messaging system operating via Onion Services. Not only does Cwtch default to Tor, it has no server in the middle caching ciphertexts for call-signs as Onion Services are effectively peer-to-peer in messaging app context: All users run web server and some requests-like client as in and outbox.

In SimpleX, the IP address leaks to the server by default, meaning it’s not anonymous by default. Defaults and misuse resistance are extremely important in cryptography and its applications.

The Simplex CEO disagrees with the idea that IP address is his job to protect. He’s allowed to define the security mechanisms of his project and there’s plenty of great tools that don’t mask it like Signal. But he’s at the same time putting his project above Cwtch, and bases on this claim on “Cwtch Onion Service address being an identifier that’s part of Tor’s routing protocol”.

But I think nobody would claim that Onion Service addresses are as identifying information as IP-addresses, especially on a messaging app like Cwtch that allows you to spin up arbitrary number of user accounts, one per contact if need be. So it’s not the case Alice can prove to Charlie that ID_CB belongs to Bob, because her Cwtch user ID for Bob (ID_AB) is usually entirely different.

So SimpleX is not at the top in terms of privacy tech of networked TCB messengers. It’s a great balance of course. It’s got potential to be somewhere between Signal and Cwtch in terms of privacy. But it’s again the marketing claims and unfair pushing down of competitors that’s the problem.

It’s not hiding the IP addresses of users. It’s instead pushing marketing on the concept of queues (basically internal socket/port numbers for connections between servers), but all public SimpleX server infra is likely still programmed, installed, and maintained by SimpleX and they can program the running instance of the server (not the same as on GitHub) to work in any way they please.

And even if I’m wrong about that, there’s still just two massive VPS providers hosting ALL that server infra: Akamai and Runonflux. These companies can perform end-to-end correlation on any two users that land on their infra, to see that a 42069 byte packet entering from Alice’s IP and exiting through Bob’s IP in a time window of few milliseconds.

Also, we’ve seen attacks like the SolarWinds Orion breach where the out of band system allowed compromising an entire server farm. And we’ve seen massive companies like Facebook and Microsoft partner with the government. Why would companies like Akamai be excluded?

So there is no transparency to what is happening on server-side. This is why good privacy by design proves that it’s safe from the client’s point of view. For content-privacy that means end-to-end encryption with fingerprints. For IP-addresses (if you want to provide that) that means defaulting to Tor. For quantity/schedule data that means traffic flow confidentiality mechanisms.

So yeah you’re absolutely right, central part of privacy relies on using VPN or Tor. Since VPNs internally know who you are from payment info or entry point IP, it’s second to Tor.

But since to you it’s extremely clear Tor is useful, and since the CEO is so reluctant to finalize support for Tor and communicate clearly the dangers of not taking those extra steps, it’s clear the project is more concerned about presenting overly optimistic image of its security, than backing it’s security claims with the technology that’s tried and tested and that the competition is already using.

I’m sure most people on a forum like this don’t mind configuring and checking Tor usage themselves, but messaging apps are nasty in that they’re only as secure as the weakest link which is usually your technically illiterate peers.

So, treat SimpleX as end-to-end encrypted messaging app, the servers of which you can join anonymously if you are sophisticated user. Don’t treat it as an anonymous messenger or “without any identifiers“. It’s not that until it is that by default. Whether you treat such misleading claims as a deal breaker is up to you.

I won’t blame you if you decide to stay, given that there isn’t single obvious choice right now. But were I you, I’d see if Quiet I linked above works well enough. It’s Onion Service based slack clone and might have decent enough UX over the security that’s necessary to make the claims SimpleX is making.

Full disclosure: Not affiliated with either Cwtch or Quiet. I have my own separate project for different threat model.