It has become common to observe cyber threat actors using a ProtonMail email address to run their operations. The result is that the Switzerland-based privacy-focused service provider is facing a difficult balancing act: stop cybercriminals from exploiting its services while preserving the end-to-end encryption and privacy guarantees that define the brand.

Proton made its debut at Infosecurity Europe in 2026 and in covonversation with Infosecurity Raphael Auphan, the COO, described how the company approaches that tension through engineering, operational controls and strict legal processes.

Auphan emphasized that Proton’s technical architecture imposes clear limits on what the company can do.

“We cannot access message contents because we don’t have the keys, and we cannot geolocate our users, as end-to-end encryption is part of our privacy model,” he said. That cryptographic constraint, he explained, is central to user trust but means content-level surveillance or forced decryption is simply not possible.

Faced with that limitation, Proton invests heavily in account-level and behavioral defenses.

Auphan reported that Proton has a dedicated anti-abuse team that builds machine‑learning models to detect suspicious account-creation patterns and other signals of misuse.

Those systems focus on identifying bot-driven clusters, automated mass sign-ups and other early indicators so malicious actors can be stopped prior to carrying out operations that rely on Proton accounts.

Takedown Requests Must Be Lawful and Legitimate

When unlawful activity does occur, Proton’s response is shaped by Swiss law and strict verification steps.

While the company cannot hand over encrypted message contents, it can close accounts, provide available metadata and hand over this information to vetted law enforcement and help investigations – as long as they follow lawful processes and are motivated by legitimate reasons.

Auphan said that the company receives a "significant amount" of such requests from all over the world.

To get Proton onboard, however, he explained that requests should go through Interpol or the Swiss federal police for validation, so that only after Swiss authorities vet a submission Proton will act.

“When legitimate requests come in, they must be routed through Swiss federal authorities and legally verified before we act,” Auphan noted.

Additionally, even if the law enforcement followed the right processes, Proton will only act if it deems the request legitimate.

“It needs to come from true suspicion of malicious, or even criminal, activity. We would not take down the account of an individual for an political opponent,” said Auphan.

The executive acknowledged the trade-offs involved, as anti-abuse systems that rely on behavioral signals can raise privacy and false‑positive concerns and denying content access even to fight crime can frustrate investigators.

Still, he argued that Proton’s approach aims to strike the right balance.

“We have no interest in allowing malicious actors to use our platform,” Auphan concluded.