Get the App
Download on the App Store Get it on Google Play Get it from Microsoft
or
Use the Web App
Secure Drop
Anonymous · Encrypted · No login required
Your message is sealed and anonymous. We cannot identify you. No account or login is needed.
Your message
Max 3 files, 10 MB each
Powered by City of Hats · Get your own Secure Drop
Secure Channel
Anonymous · Bidirectional · Encrypted
Start an anonymous conversation. You'll receive a thread code to check for replies later.
Your message
Max 3 files, 10 MB each
Thread Code
Enter your thread code above to check for replies.
Powered by City of Hats · Get your own Secure Channel
Dead Drops

One-Time Secure Delivery.
Then It's Gone.

Send encrypted messages, files, and credentials through self-destructing drops that burn after a single read. With steganography, time locks, and multi-path delivery — built for when even the channel needs to disappear.

Tutorial

See Dead Drops in Action

Watch how to create, share, and retrieve a Dead Drop in under 60 seconds. One-time access, burn-after-read, zero trace.

  • Create an encrypted dead drop with any message or file
  • Set a passphrase and optional time-to-live expiry
  • Share the retrieval code through any channel
  • Recipient opens once — content self-destructs
City of Hats Dead Drop
Dead Drops

Messages that burn after reading.

Dead Drops are self-destructing encrypted messages. Send sensitive information that disappears permanently after retrieval — no copies, no cache, no trace.

  • Self-destructs after a single view — content is permanently erased
  • Optional PIN protection — only the intended recipient can open it
  • Time-locked delivery — set when the message becomes available
  • Anonymous retrieval — no account required to receive a Dead Drop
  • Server-side encrypted — even we cannot read the contents
Core Capabilities

Built for Ephemeral Security

Every Dead Drop follows a strict lifecycle: create, deliver, destroy. No re-downloads, no server copies, no digital footprint.

Burn-After-Read

Once the recipient opens the drop, the encrypted payload is permanently destroyed on the server. There is no second chance — no re-download, no backup, no recovery. The data exists only for the moment it's needed.

Self-Destruct

Steganographic Delivery

Hide your encrypted payload inside an ordinary image. The carrier image looks like a normal photo — only the recipient with the correct key can extract the hidden message. Perfect for hostile network environments.

Steganography

Time-Locked Encryption

Set a time window for your drop. The encrypted content automatically expires and is purged from the server if not retrieved within the specified timeframe — even if no one reads it.

Time Lock

Multi-Path Delivery

Split the decryption key across multiple shares using Shamir's Secret Sharing. The drop can only be decrypted when all shares are reunited — delivered through separate channels for maximum security.

Shamir's Shares

Verify I'm Real

Require the sender to pass a human verification challenge before the drop is created. Prevents automated bots from flooding the system with fake dead drops.

Anti-Bot

Recipient Face Verification

The recipient must verify their face with a live biometric scan before the drop content is decrypted and revealed. Ensures only the intended person reads the message.

Biometric
How It Works

Create. Deliver. Destroy.

A Dead Drop follows a strict lifecycle. No account needed, no pairing required — just a link and a key.

1

Compose Your Drop

Write your message or attach a file. Choose your options: steganography, time lock, multi-path shares. Everything is encrypted client-side with AES-256-GCM before leaving your device.

2

Share the Link

You receive a unique retrieval URL containing the drop code. The decryption key is embedded in the URL fragment — it never touches the server. Share via any channel you trust.

3

Recipient Retrieves & Burns

The recipient opens the link, the message is decrypted in their browser, and the server permanently deletes the encrypted payload. One read. Zero traces.

Compose
Client-side E2E encryption
Store
Encrypted blob only
Share
Key stays in URL fragment
Retrieve
Decrypted in browser
Burn
Permanently deleted
Use Cases

When You Need One-Time Delivery

Dead Drops are designed for handoff, not conversation. Here's when they're the right tool.

Incident Response

Share breach details, indicators of compromise, and forensic screenshots with your security team — without leaving evidence in Slack or email.

Credential Delivery

Send temporary passwords, API keys, or recovery codes that self-destruct after a single read. No more "I sent it in Slack" risks.

Legal & Compliance

Deliver sensitive legal documents, contracts, or compliance reports with guaranteed destruction after retrieval. Full audit trail on client side.

Whistleblower Sources

Accept anonymous tips through steganographic drops that are indistinguishable from normal images. No metadata, no trail, no exposure.

Healthcare / HIPAA

Transfer patient data or test results securely with time-locked drops that expire within hours. Compliant with data minimization requirements.

Enterprise File Transfer

Send board-level documents, M&A materials, or financial reports through encrypted drops with multi-path key splitting for dual-authorization.

Security Principles

Dead Drop Rules

These aren't just features — they're architectural constraints that cannot be bypassed.

Enforced

  • One-time retrieval — deleted after first read
  • Client-side AES-256-GCM encryption
  • Decryption key never touches the server
  • Automatic expiration on time-locked drops
  • No account or pairing required
  • File attachments (up to 25 MB)
  • Client-side hash-chained audit log

By Design, Never

  • No re-download or second read
  • No server-side preview or rendering
  • No cloud storage or backup copies
  • No forwarding mechanism
  • No link to sender identity
  • No metadata logging on server
  • No recovery after burn