Threema Sold to Private Equity Again

The Swiss messenger Threema just changed hands for the second time since 2020. Comitis Capital, a Frankfurt-based private equity firm founded in 2021, announced the acquisition of Threema Holding AG on January 13, 2026. The deal closes this month, transferring ownership from previous investor Afinum Management and the company's founders.

Comitis Capital manages a portfolio that includes Cloud7 premium pet accessories and The Tofoo Co. British tofu products. Threema represents their first venture into technology or privacy-focused software. Managing Partner Nikolaus Bethlen framed the purchase around "European data sovereignty and regulatory compliance" the kind of language that sounds impressive until you remember the buyer's expertise lies in dog treats and plant-based protein.

This acquisition follows a pattern that should concern anyone who chose Threema specifically for its privacy promises. Afinum acquired a majority stake in September 2020, with the three founders retaining minority ownership and continuing to run operations. That arrangement lasted four years before all three founders departed in September 2024. Martin Blatter, Silvan Engeler, and Manuel Kasper the people who built Threema from a 2012 side project into a business that reached 10 million users by 2021 walked away. Their replacement, Robin Simon, spent his career at TX Group, Switzerland's largest media conglomerate, running classifieds platforms and digital marketplaces. His background includes zero experience in cryptography, privacy engineering, or secure communications.

Founders leave, new CEO from a media company takes over, and four months later the whole thing flips to another private equity shop. Private equity firms exist to increase company value and exit profitably within three to seven years. They pressure portfolio companies toward aggressive growth, which typically means finding new revenue streams and the most valuable asset a messenger possesses is its user data.

Threema's privacy policy claims the company collects virtually nothing. The architecture allegedly prevents even Threema from connecting your identity to your messages. But architecture can change, and terms of service can change. When ownership transfers, FTC guidance requires the new owner to honor existing privacy commitments only until they obtain fresh user consent for different practices. A push notification asking you to accept updated terms could quietly authorize data collection that would have been impossible under the previous regime.

Threema's security credentials already carried asterisks before this sale. In January 2023, researchers from ETH Zurich published analysis identifying seven distinct cryptographic attacks against Threema's protocol. The vulnerabilities included methods to clone accounts and steal private keys. Threema's response dismissed the findings as theoretical with "unrealistic prerequisites" then quietly updated their protocol and characterized the analyzed version as obsolete. Bruce Schneier noted the problematic disclosure strategy: Threema benefited from responsible researcher notification, then used that update to downplay severity.

The protocol problems ran deeper than a single audit revealed. Cryptographer Soatok documented that Threema lacked end-to-end forward secrecy entirely until late 2022 meaning that decrypting one message allowed decryption of subsequent messages too. The app truncated SHA-256 hashes to 128 bits for peer fingerprints, providing only 64 bits of collision resistance (comparable to broken SHA-1). Group messages lacked authentication entirely, enabling attackers to send different content to different recipients undetectably. Soatok concluded that security researchers had "quietly put Threema in the 'clown-shoes cryptography' bucket" due to years of closed-source operation combined with marketing claims that exceeded technical reality.

Threema eventually open-sourced its client apps in December 2020 and introduced a new protocol called Ibex in November 2022. That protocol has not been independently audited. Users trusting Threema with sensitive communications rely on the company's assurances rather than verified security properties.

Comitis Capital claims Threema's "core values, corporate mission, and management remain unchanged." The founders who established those values are gone.

The CEO who replaced them built his career at a media advertising company.

The new owners specialize in consumer products, not security software. Their stated investment thesis emphasizes "accelerating revenue growth." That language sits uncomfortably next to promises of uncompromising privacy.

Session, Signal among many others remains free. SimpleX is also very badass. If you're paying for Threema because you believed Swiss jurisdiction and founder-led operations provided meaningful protection, both of those characteristics now belong to the past. Your encrypted messages sit on infrastructure controlled by a German private equity firm whose previous acquisitions include Cloud7 premium dog beds and The Tofoo Company.

The messenger you trusted with your private communications just became inventory on a balance sheet. Act accordingly.