They broke the metadata, not the cipher: the Ricochet lesson
Ricochet is the opposite design from EncroChat. There are no servers at all: every user is their own Tor onion service, and you exchange addresses directly. A serious privacy tool — not a criminal network — that lives on today as Ricochet Refresh. In 2024 we learned police took a user’s metadata anyway. Not the words. The who and the when. Again, without touching the cipher.
What actually happened
In September 2024 the German broadcaster NDR — its Panorama team and STRG_F — reported, with the Chaos Computer Club, that in the “Boystown” investigation German law enforcement had deanonymised a suspect who used Ricochet. The method was timing analysis plus a guard‑discovery attack: run enough Tor relays, watch which entry (guard) node a target’s onion service keeps returning to, then have a court — in Frankfurt — compel the internet provider (Telefónica / O2) to name the subscriber connecting to that node. A physical identity, with no break of Tor and no break of the cipher. The reporting indicated both v2 and v3 onion addresses were deanonymised this way, at least between Q3/2019 and Q2/2021.
The reason it worked
Every Ricochet user was a standing onion service — a fixed, addressable thing on the network you could poke, time, and trace back through a guard. “No central server” meant nothing leaked to an operator — there was none. It leaked to the network, because the target sat still and answered. (It did not help that the suspect ran an old Ricochet without Vanguards, the guard‑hiding defence — but the deeper problem was being a service at all.)
So the lesson is sharp: “no central server” is necessary, not sufficient.
What YGOOW changes
You are a client, not a service. In YGOOW the onion service is the deaf relay; you are a Tor client reaching it. You publish no onion descriptor, run no standing service, answer no prober. The exact anchor the Boystown attack needed — a fixed service to do guard‑discovery against — is not how you appear on the network at all. There is nothing of yours sitting still to be timed.
Traffic shaping by default. On top of that, frame padding is on by default, with cover traffic, per‑persona circuit isolation, and rotating conversation tags — each one raising the cost of the timing correlation an attacker would have to run. (YGOOW also embeds today’s Tor, Vanguards‑lite era, not a 2016 build — but that is table stakes, not the argument.)
Where it ends — because we always say so
None of this defeats a global passive adversary who can correlate timing across the whole network. That problem is unsolved for every low‑latency Tor system, ours included; padding raises the price of the attack, it does not grant immunity. It is exactly why we never printed “zero metadata” — we printed NO IP · NO LOCATION. And mind the trap that caught Ricochet’s defenders: onion v3 alone is not the fix — v3 addresses were deanonymised too. The fix is not being a standing service, plus traffic shaping, plus the honesty about the edge.
Two stories, one throughline: neither EncroChat nor Ricochet was a broken cipher. One lost its content; the other lost its metadata. That is why YGOOW treats content secrecy and metadata unlinkability as two different jobs — and tells you the honest edge of each.
Your key, your rules — everything else is redacted.