You know the drill. You land somewhere new, maybe Lisbon, maybe Tokyo. You don’t bother with the airport kiosk or the old “buy a local SIM” routine. Instead, you open an app, scan a QR code, and in seconds—bam—you’re online. Welcome to the era of travel eSIMs, a godsend for digital nomads who live half their lives with one foot in a café and the other on an unstable Wi-Fi connection.

It’s fast, it’s cheap, it’s frictionless. Almost too frictionless. Because while you think your phone is happily connected to a local network, in reality… it might be tunneling your data through servers in China. Or India. Or literally anywhere else but where you actually are. And that’s not paranoia talking. That’s what a group of researchers revealed at USENIX Security Symposium, the world’s top conference on cybersecurity.

Let’s unpack this.

The invisible revolution (and its cracks)

An eSIM is essentially a digital SIM card—no plastic, no fiddling with trays, no “I lost that tiny metal pin.” Your phone has a chip built-in, and activating it is as easy as scanning a QR code. Apple, Google, Samsung… they’ve all embraced it. In fact, some iPhones sold in the US don’t even have a physical SIM slot anymore.

For nomads, it’s been a blessing. No roaming nightmares. No weird contracts. No panic in an airport shop trying to mime “data package” in a language you don’t speak. Travel eSIMs are marketed as simple, safe, global.

But here’s the catch: the infrastructure behind them is a patchwork of resellers, middlemen, and wholesale deals. And that patchwork can get ugly.

When “New York” turns into “Ni Hao”

The researchers did the most obvious thing: they bought 25 different travel eSIMs from popular providers, installed them in the US, and tracked what happened to the data.

Surprise number one: in 40% of cases, the IP address assigned wasn’t even American. In one striking example, data bought through Holafly (a name many of us know) was routed directly through China Mobile—yes, the state-owned giant in Beijing. That means your emails, maps, and late-night Instagram scrolls were technically taking a detour through Chinese infrastructure.

Not exactly the “local US coverage” you thought you paid for.

Silent conversations you never asked for

Even creepier? Some eSIMs started “talking” to servers abroad without the user doing anything. One was phoning home to Singapore, another was receiving SMS messages from Hong Kong—without ever showing up on the screen. Maintenance? Updates? Who knows. The point isn’t conspiracy—it’s opacity. Your phone is having side conversations you’re not invited to, and you’re supposed to just… trust it.

Anyone can be a reseller

The wildest revelation? Pretty much anyone can become a travel eSIM reseller. No telecom license, no government oversight, no big infrastructure. You sign up with a platform, slap a logo on it, and voilà: you’re suddenly an “international connectivity provider.”

Sounds fun, except resellers often have access to sensitive backend data: unique identifiers, device status, sometimes even your approximate location down to 800 meters. In some cases, they can flip switches you’d never want touched—like making your phone reachable via a public IP address (hello, hackers).

So behind that glossy Instagram ad with a palm tree emoji, you might not be dealing with a global telecom giant, but with a guy running his “company” from a shared apartment.

Why this matters to all of us

This isn’t just geek paranoia. The world is going eSIM-only, whether we like it or not. And that means these vulnerabilities and shady practices won’t stay niche—they’ll become the default.

Yes, the underlying tech is secure: encrypted profiles, digitally signed activations. But security doesn’t mean much when the ecosystem is a free-for-all. Too many actors, too few rules, zero transparency. For the average user, there’s no way to know where their data goes, who handles it, or which laws apply.

That gap between perception (“I’m connected locally and safely”) and reality (“my traffic is hopping continents through opaque networks”) is exactly where abuse, surveillance, and data leaks thrive.

What needs to change

Researchers suggest three no-brainers:

1. Transparency – resellers should disclose where your data is routed and under which jurisdiction.

2. Privilege limits – resellers shouldn’t have God-mode access to your device info and network settings.

3. Real oversight – becoming an eSIM provider should require actual audits, not just an email address and a credit card.

Until then, the advice for nomads is simple: don’t choose your eSIM provider based only on flashy ads and a $2 price difference. Stick to brands with infrastructure and accountability. And never assume that “it’s just browsing data” doesn’t matter. Your phone is your identity, your office, your bank, your social life.

The Nomag take

As nomads, we love tools that make our lives lighter. eSIMs are one of those rare revolutions that really feel like freedom. But freedom without guardrails quickly turns into chaos.

So next time you’re sipping espresso in Rome or coconut water in Bali, remember: the little QR code that gives you internet might also be shipping your data to the other side of the planet.

Travel smart. Connect smart. And above all, stay suspicious. Because the only thing worse than a dead Wi-Fi signal is the illusion of a safe one.