I like history, current events, privacy and security as subjects for reading and thought. An interesting subject at the intersection of these is that of honeypots. I thought it might be a good subject for off-topic discussion.

I’ll throw out the famous CryptoAG honeypot as a historical example and the FBI’s Anom network as another.

A recent piece of news along these lines was Tutanota being fingered last month as a honeypot by a Canadian official on trial for espionage crimes and then issuing a spirited denial.

What do you think are current honeypots? Why?


There’s little to no way of answering the question in a fact-based way. It’s all just going to be speculation.


Yeah… Personally I don’t see how Tutanota could even be a honeypot when they already follow the German laws and give out what they have to, etc.


The first link is an advertisement, not a news article. It is paid for for company that makes the supposedly “uncrackable app”

edit: sorry, sometimes i can be very dense. You were posting this as an example of a possible honeypot I think.


The second link is another proof that opensource should be a mandatory requirement. Closed source applications can claim what they want.

1 Like

Probably all of them, if you broaden the definition a little bit. Everything that is not 100% open source cannot be 100% trusted.

I’ll give you examples: Bitwarden offers zero-knowledge vaults. Meaning the server doesn’t know your password, they’re used locally to decrypt the content downloaded from the server, and you can attest it by looking at the client’s source code. But that “sign up” page where you create your account probably isn’t, and even if it is you can’t really be sure the server is running the open-sourced code.

Same goes for Proton. And Tuta. And all services where you input your password online.

"Oh, but it’s audited“ you may say. Yes, audited by those cybersecurity companies/researchers that keep finding lots of activity by Russian hackers, Chinese hackers, etc, but never anything done by our hackers in the west. No reason to believe they’ve haven’t all received a visit by a man in suit telling them to look the other way or else…


Thats an interesting point. I had never considered it in that manner. Im used to seeing banks being reported as solid by auditors only to collapse a few weeks or months later but I tend to trust software audits, taking them for an honest appraisal. Maybe thats not necessarily the case

Exactly. And you can bet small cybersecurity auditing firms are cheaper to buy than the billion-dollar accounting auditors that were complicit with all major accounting scandals (Enron, WorldCom, Lehman, FTX, etc)

The sign up pages are definitely open source for the services you mention. Otherwise that would be completely stupid. Sign up is part of the app.

1 Like

Like others have noted, answers to this question are primarily based on speculation (by definition, a honeypot is designed to look and feel like a legitimate server/service/etc).

That being said, many of the big services (email providers, vpns, and others) have had run-ins with the authorities before, so a statement that a government attempted to subpoena a user’s information but wasn’t able to, is a pretty good indicator. (Mullvad, for example.)

But there’s gonna be the folks that call it staged and insist that these things are indeed honeypots. And the only way to have a 100% secure email provider, for example, is to not have an email account. It’s all about your threat model :man_shrugging:t2:

You’re talking about “the law”.

“Authorities” includes both “the law”, which is stuff that needs to be proven in court, and what’s outside the law. That includes spy agencies, political persecution, etc.

Want to see an interesting example? If you look it up, you can find multiple news stories of the FBI recovering ransomware money but not arresting anyone or taking any other action. That means they couldn’t get through any service through the legal means (probably didn’t even try), but were able to hack VPNs, Tails, Tor, cold wallets, whatever technology criminals were using to get to the money and transfer it back.

Or the people were outside US jurisdiction

Proton is raising money for a bunch of CIA fronts this year, by the way…

Do you have a source for any of the listed organisations being CIA fronts?


The source is their own Twitter feeds. If you spend 5 minutes there you’ll see half are little more than fake NGOs weaponized against the US government external and internal enemies.

Okay so no, you don’t have a source. Thank you


Yes, I happen to think. Highly recommended.

That’s uncalled for, I just wanted a proper source instead of “just read twitter bro”


Fair. I’m sorry.

But I’m not telling you to “read Twitter”. I’m telling you to read what the companies tell about themselves. And the. connect the dots for yourself. It’s not hard, they’re not trying to hide anything.