GrapheneOS accuses compeitors of sabotage, exits France over police threats

The drama surrounding GrapheneOS has escalated from a debate over security patches to what looks like full-blown corporate and geopolitical warfare. Following heavy scrutiny in the French press, where the OS was branded a “tool for traffickers,” the GrapheneOS team has initiated a scorched-earth response.

They are pulling their server infrastructure out of France, openly naming the competitors they believe are orchestrating a smear campaign, and threatening to ruin the exploit market for everyone by contributing directly to Android (AOSP).

The “unnamed” antagonist revealed: it’s Murena & iodé

Earlier this week, we reported that GrapheneOS slammed an unnamed “small company” for spreading libel and misinformation after a failed partnership. At the time, we speculated that Murena, the company behind /e/OS, might be the company in question.

GrapheneOS has now dispensed with the subtleties. In a series of posts on X (formerly Twitter), the team explicitly named Murena and iodé (the team behind iodéOS) as the likely instigators of the recent negative press in France.

“It’s very possible Murena and/or iodé are involved. Both are French companies selling products with extraordinarily poor privacy/security. Both are useful to official state plans of locally hosted services with encryption backdoors.”

Both companies are direct competitors in the privacy space and have recently made moves on similar hardware. Murena recently launched the Murena HIROH Phone and SHIFTphone 8, while iodéOS also powers the modular Shift 8. GrapheneOS alleges that these companies are “misleading users” with inferior security standards (lagging on patches and encouraging unlocked bootloaders) and suggests they may be cooperating with the very state surveillance GrapheneOS fights against.

The “fake Snapchat” myth & the Anom parallel

The accusations from GrapheneOS come in response to articles by Le Parisien and Le Figaro, which claimed criminals use a version of GrapheneOS equipped with a “fake Snapchat” page that wipes data when accessed.

GrapheneOS categorically denied this, stating that no such feature exists in their code. Instead, they argue French police are likely conflating the official OS with illegal, closed-source forks sold on the black market, similar to the Anom sting operation, where the FBI distributed compromised devices running a custom OS to catch criminals.

“Products using operating systems partially based on our code are not GrapheneOS… There’s no such thing as a fake Snapchat app wiping the device in GrapheneOS.” The team insists that while their code is open source, legitimate GrapheneOS is free and obtained only from their official website and not via “shady dealers” in dark alleys.

Exiting France: “We don’t feel safe”

Perhaps the most significant development is the operational fallout. GrapheneOS announced it is moving all server infrastructure hosted by OVH (a major French cloud provider) out of the country.

While the project is a Canadian non-profit, they have historically used OVH for mirrors and discussion servers. That ends now. The team cited a specific passage in the Le Parisien coverage as a “direct threat” from French law enforcement leadership (OFAC), implying that tech providers who do not provide backdoors will face legal consequences.

“We’re going to be ending the small amount of operations we have in France as we don’t feel the country is safe for open source privacy projects anymore… We don’t want to host servers in France or host servers with OVH anymore.”

The team is moving services to providers in Canada, Germany (Netcup), and the US. They also stated they will no longer travel to France for conferences or hire staff located in the country, citing the French government’s support for “Chat Control” (EU mass surveillance legislation) and “authoritarian” tendencies.

The nuclear option involves helping Google

In a twist of irony, the hostility from French authorities and the alleged smear campaign have pushed GrapheneOS closer to the company they usually criticize: Google.

The team stated that the situation “almost makes us willing to contribute to AOSP [Android Open Source Project] again,” specifically to patch the vulnerabilities that law enforcement agencies are using to exploit non-GrapheneOS devices.

“Google is welcome to reach out.”

By hardening the base Android code, GrapheneOS would effectively “burn” the expensive exploits used by police and forensic firms like Cellebrite, making all Android phones harder to crack, not just Pixels running GrapheneOS.

The privacy phone market is usually a quiet niche, but this has exploded into a major controversy. GrapheneOS is effectively drawing a line in the sand: you either have mathematical security that cannot be broken (which upsets law enforcement), or you have “privacy theater” that remains compliant with state demands (which they accuse Murena and iodé of offering).

Accusing competitors of being state-aligned honey pots is a massive claim, but GrapheneOS has never been one to mince words. By choosing to migrate their servers to Toronto, Germany, and other locations, it’s clear that they would rather leave a major European market’s jurisdiction than compromise on their “no backdoors” policy.