Could someone potentially set up a session messenger account in order to catch others in nefarious acts?

1. How Session’s anonymity makes undercover accounts easy to create

Session generates random 66‑character Account IDs and does not require a phone number or email to register, so anyone can create an account without supplying identifying information — a practical enabler for someone trying to pose as another user or to covertly monitor groups ^{[1] [2]}. Multiple reviews and guides highlight that anonymous account creation is Session’s defining privacy feature, and the app’s decentralized architecture and lack of central metadata logging mean there’s little for authorities or victims to subpoena later ^{[5] [3]}.

2. Technical limits on “catching” wrongdoing from inside the app

Session uses end‑to‑end encryption and decentralized routing so the operator of the network cannot read message contents and the app aims to minimize metadata, which prevents easy reconstruction of who spoke to whom or when ^{[1] [2]}. That means an undercover account can only gather what it is directly sent or permitted to see inside group chats — it cannot silently exfiltrate broader conversational metadata from the network itself ^{[3] [6]}.

3. Real‑world risks: impersonation, entrapment and unreported abuse

Several user reports and app‑store comments note problems like being added to abusive or illegal group chats and difficulty reporting them; one reviewer described being added to a group that posted child sexual abuse material and finding no in‑app reporting mechanism for the whole group ^[3]. Those accounts illustrate how anonymity plus limited reporting channels can let bad actors create accounts to harass, groom, or entrap others without easy recourse ^[3].

4. What Session and third‑party reviewers say about safeguards

Session’s own documentation and foundation emphasize decentralization, metadata minimisation, and features like onion routing as privacy protections; the foundation also publishes transparency reports and is developing Protocol V2 to improve forward secrecy and device control ^{[2] [4] [7]}. Independent reviews cited in sources note Session inherits Signal’s cryptographic strengths and has undergone audits (Quarkslab is mentioned historically), but some security commentators have criticized Session’s design choices and raised concerns in blog posts ^{[1] [6]}.

5. Protocol upgrades change the threat landscape — for better and worse

Session is actively evolving: proposed Protocol V2 aims to add Perfect Forward Secrecy, per‑device keys, and quantum‑resistant primitives to limit long‑term key compromise and improve device linking controls — changes that will make individual account compromise harder but won’t change the fact that anonymous accounts can still be created ^{[7] [8]}. The Foundation says many theoretical attacks are “not currently practical,” but the upgrade effort acknowledges potential attack vectors and aims to reduce them ^[7].

6. Practical steps for people who want to “catch” wrongdoing or defend themselves

Available sources do not mention official, centralized takedown/reporting flows that would let outsiders subpoena message content or metadata quickly; users and victims are advised to collect Account IDs of offenders and use external tip lines where possible ^[3]. Session’s transparency reporting and protocol changes may increase accountability over time, but right now evidence collection often depends on what a victim can export and share, because the network itself minimizes retained logs ^{[4] [3]}.

7. Competing perspectives and the policy dilemma

Advocates frame Session’s anonymity as essential protection against surveillance and censorship; critics point out that those same protections make policing abuse and identifying bad actors difficult ^{[9] [5]}. Sources document both viewpoints: privacy proponents celebrate the lack of phone numbers and metadata collection ^{[9] [2]}, while reviewers and user reports document usability issues, potential security holes around media handling, and reporting gaps that create forums for illicit behavior ^{[10] [3]}.

8. Bottom line for someone considering undercover monitoring

Creating an undercover Session account is straightforward due to anonymous account creation, and such an account can collect whatever content it’s permitted to see — but the app’s encryption and metadata minimisation prevent broad network surveillance or easy external attribution of that account to a real person ^{[1] [2]}. That duality is explicit in developer materials and independent reporting: Session’s privacy architecture both empowers legitimate anonymity and complicates efforts to catch and prosecute nefarious actors ^{[3] [5]}.