{"id":30803,"date":"2026-06-05T19:56:20","date_gmt":"2026-06-05T14:26:20","guid":{"rendered":"https:\/\/www.kaspersky.co.in\/blog\/?p=30803"},"modified":"2026-06-05T19:56:20","modified_gmt":"2026-06-05T14:26:20","slug":"xchat-privacy-security-risks","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.in\/blog\/xchat-privacy-security-risks\/30803\/","title":{"rendered":"XChat: what’s wrong with Elon Musk’s new messaging app?"},"content":{"rendered":"

Pavel Durov and his \u201cprivate\u201d messaging app have a brand new rival, and it\u2019s\u00a0\u2014 drumroll, please\u00a0\u2014 Elon Musk and his XChat. On our blog, we\u2019ve discussed more than once why Durov\u2019s claims about Telegram privacy and security are exaggerated, to put it mildly<\/a>. Here, I\u2019ll just remind the reader that standard (non-secret) chats on Telegram aren\u2019t protected by end-to-end encryption \u2014 the bare minimum required for user data to stay private.<\/p>\n

But let\u2019s get back to Musk. In late April 2026, the XChat app launched<\/a> for iOS users. The tech mogul had been touting his messaging app for a long time, pitching it from day one as an incredibly private and secure way to communicate, and as a direct threat to Signal, WhatsApp, Telegram, and iMessage. Today, we look at whether we should actually trust\u00a0Musk\u2019s promises<\/s> this new service, break down its core features, and stack it up against the competition.<\/p>\n

Bitcoin-style encryption<\/h2>\n

Musk initially teased XChat on June 1, 2025<\/a>, naturally via his X (formerly Twitter) account. Responding to another user\u2019s question about when to expect the new service, Musk wrote: \u201cThis week if there are no scaling issues.\u201d<\/p>\n

Apparently, scaling issues there were: the app\u2019s beta didn\u2019t drop until September 2025<\/a>, and iOS users didn\u2019t get full access until April 2026. As for Android, there is zero info on when that version would launch at the time of this writing. That said, an XChat page is already live on Google Play<\/a> where users can queue up<\/s> \u201cpre-register\u201d, whatever that means.<\/p>\n

But let\u2019s go back to Musk\u2019s post announcing XChat. That specific post turned a lot of heads in the privacy and cybersecurity community, and here\u2019s why: the tech mogul wrote that the service would be built on an \u201centirely new architecture\u201d, written in Rust, and featuring \u201cBitcoin-style encryption\u201d.<\/p>\n

\"Elon<\/a>

Elon Musk announces the launch of XChat, claiming the new messaging app is written in Rust and uses \u201cBitcoin-style encryption\u201d. Source<\/a><\/p><\/div>\n

The expert community spent a long time scratching their heads and trying to figure out what Musk actually meant. After all, Bitcoin isn\u2019t an anonymous, encrypted data exchange system. The blockchain does use public and private cryptographic keys, but for something entirely different: signing transactions. Meanwhile, these transactions aren\u2019t hidden from prying eyes; they\u2019re out in the open for anyone to see, forever. Simply put, Bitcoin protects its users not by ensuring privacy, but quite the opposite\u00a0\u2014 through ultimate transparency.<\/p>\n

Most likely, Musk used \u201cBitcoin-style encryption\u201d as a marketing gimmick<\/a>. Bitcoin was trading near all-time highs at the time of his announcement, and cryptocurrency was the talk of the town. Technically, the XChat beta that dropped in September 2025 protected user chats with a \u201ckind of\u201d end-to-end encryption, but this was implemented in a way that raised serious doubts among cryptography experts<\/a>.<\/p>\n

And not without a reason. Normally, setting up an end-to-end encrypted chat automatically generates a public and private key pair. The public key is used to encrypt messages, while the private key decrypts them. Because other users need your public key to start a secure chat with you, these keys are usually stored on the app\u2019s servers.<\/p>\n

The private key, however, should ideally live only on the user\u2019s device\u00a0\u2014 which is exactly how Signal does it. This serves as a simple, ironclad guarantee that neither the company itself nor any third party breaching its infrastructure can access user chats, even if they really want to.<\/p>\n

But Elon Musk\u2019s projects always march to the beat of their own drum: the XChat developers decided it would be a great idea to store users\u2019 private keys on XChat servers. X claims they\u2019ll use hardware security modules (HSMs) to store these private keys\u00a0\u2014 specialized appliances designed to prevent even the system owner from easily accessing the data inside. However, experts are also questioning<\/a> the reliability of this setup, and coming to a grim conclusion: if X really wants to get a user\u2019s private key, they will most likely be able to do so.<\/p>\n

How encrypted messaging in XChat works in practice<\/h2>\n

Finally, once the scaling issues<\/em> were ironed out nearly a year after the announcement, X officially rolled out the XChat app for iOS in April 2026. Now anyone can use it, but from a practical standpoint, the situation with encrypted chats seems even more convoluted than in Telegram.<\/p>\n

According to the social network\u2019s help center<\/a>, to use end-to-end chat encryption in XChat, both users must have an X account, set up XChat, and have some sort of connection between them:<\/p>\n