diff --git a/Cargo.lock b/Cargo.lock
index db1fef9f4..47687a5c0 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1358,6 +1358,7 @@ dependencies = [
  "qrcodegen",
  "quick-xml",
  "rand 0.8.5",
+ "rand 0.9.0",
  "ratelimit",
  "regex",
  "rusqlite",
@@ -1487,7 +1488,7 @@ dependencies = [
  "human-panic",
  "libc",
  "num-traits",
- "rand 0.8.5",
+ "rand 0.9.0",
  "serde_json",
  "thiserror 2.0.17",
  "tokio",
diff --git a/Cargo.toml b/Cargo.toml
index f50eda040..3e0648d3f 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -82,6 +82,7 @@ pgp = { version = "0.17.0", default-features = false }
 pin-project = "1"
 qrcodegen = "1.7.0"
 quick-xml = { version = "0.38", features = ["escape-html"] }
+rand-old = { package = "rand", version = "0.8" }
 rand = { workspace = true }
 regex = { workspace = true }
 rusqlite = { workspace = true, features = ["sqlcipher"] }
@@ -186,7 +187,7 @@ log = "0.4"
 mailparse = "0.16.1"
 nu-ansi-term = "0.50"
 num-traits = "0.2"
-rand = "0.8"
+rand = "0.9"
 regex = "1.10"
 rusqlite = "0.36"
 sanitize-filename = "0.5"
diff --git a/deltachat-ffi/src/lib.rs b/deltachat-ffi/src/lib.rs
index 9c768d736..c99e1c574 100644
--- a/deltachat-ffi/src/lib.rs
+++ b/deltachat-ffi/src/lib.rs
@@ -39,7 +39,6 @@ use deltachat_jsonrpc::api::CommandApi;
 use deltachat_jsonrpc::yerpc::{OutReceiver, RpcClient, RpcSession};
 use message::Viewtype;
 use num_traits::{FromPrimitive, ToPrimitive};
-use rand::Rng;
 use tokio::runtime::Runtime;
 use tokio::sync::RwLock;
 use tokio::task::JoinHandle;
@@ -101,7 +100,7 @@ pub unsafe extern "C" fn dc_context_new(
 
     let ctx = if blobdir.is_null() || *blobdir == 0 {
         // generate random ID as this functionality is not yet available on the C-api.
-        let id = rand::thread_rng().gen();
+        let id = rand::random();
         block_on(
             ContextBuilder::new(as_path(dbfile).to_path_buf())
                 .with_id(id)
@@ -129,7 +128,7 @@ pub unsafe extern "C" fn dc_context_new_closed(dbfile: *const libc::c_char) -> *
         return ptr::null_mut();
     }
 
-    let id = rand::thread_rng().gen();
+    let id = rand::random();
     match block_on(
         ContextBuilder::new(as_path(dbfile).to_path_buf())
             .with_id(id)
diff --git a/src/authres.rs b/src/authres.rs
index ae26b3efa..67a305548 100644
--- a/src/authres.rs
+++ b/src/authres.rs
@@ -468,7 +468,7 @@ Authentication-Results: box.hispanilandia.net; spf=pass smtp.mailfrom=adbenitez@
             // The ordering in which the emails are received can matter;
             // the test _should_ pass for every ordering.
             dir.sort_by_key(|d| d.file_name());
-            //rand::seq::SliceRandom::shuffle(&mut dir[..], &mut rand::thread_rng());
+            //rand::seq::SliceRandom::shuffle(&mut dir[..], &mut rand::rng());
 
             for entry in &dir {
                 let mut file = fs::File::open(entry.path()).await?;
diff --git a/src/imap.rs b/src/imap.rs
index 0a9fbd0e1..91cdcf199 100644
--- a/src/imap.rs
+++ b/src/imap.rs
@@ -20,7 +20,6 @@ use deltachat_contact_tools::ContactAddress;
 use futures::{FutureExt as _, TryStreamExt};
 use futures_lite::FutureExt;
 use num_traits::FromPrimitive;
-use rand::Rng;
 use ratelimit::Ratelimit;
 use url::Url;
 
@@ -342,9 +341,9 @@ impl Imap {
         const BACKOFF_MIN_MS: u64 = 2000;
         const BACKOFF_MAX_MS: u64 = 80_000;
         self.conn_backoff_ms = min(self.conn_backoff_ms, BACKOFF_MAX_MS / 2);
-        self.conn_backoff_ms = self.conn_backoff_ms.saturating_add(
-            rand::thread_rng().gen_range((self.conn_backoff_ms / 2)..=self.conn_backoff_ms),
-        );
+        self.conn_backoff_ms = self.conn_backoff_ms.saturating_add(rand::random_range(
+            (self.conn_backoff_ms / 2)..=self.conn_backoff_ms,
+        ));
         self.conn_backoff_ms = max(BACKOFF_MIN_MS, self.conn_backoff_ms);
 
         let login_params = prioritize_server_login_params(&context.sql, &self.lp, "imap").await?;
diff --git a/src/imex/key_transfer.rs b/src/imex/key_transfer.rs
index 6d1f9f418..8ba1b262b 100644
--- a/src/imex/key_transfer.rs
+++ b/src/imex/key_transfer.rs
@@ -1,8 +1,6 @@
 //! # Key transfer via Autocrypt Setup Message.
 use std::io::BufReader;
 
-use rand::{Rng, thread_rng};
-
 use anyhow::{Result, bail, ensure};
 
 use crate::blob::BlobObject;
@@ -133,12 +131,11 @@ pub async fn render_setup_file(context: &Context, passphrase: &str) -> Result<St
 /// Creates a new setup code for Autocrypt Setup Message.
 fn create_setup_code(_context: &Context) -> String {
     let mut random_val: u16;
-    let mut rng = thread_rng();
     let mut ret = String::new();
 
     for i in 0..9 {
         loop {
-            random_val = rng.r#gen();
+            random_val = rand::random();
             if random_val as usize <= 60000 {
                 break;
             }
diff --git a/src/key.rs b/src/key.rs
index cde859d00..9ac4102b3 100644
--- a/src/key.rs
+++ b/src/key.rs
@@ -11,7 +11,6 @@ use pgp::composed::Deserializable;
 pub use pgp::composed::{SignedPublicKey, SignedSecretKey};
 use pgp::ser::Serialize;
 use pgp::types::{KeyDetails, KeyId, Password};
-use rand::thread_rng;
 use tokio::runtime::Handle;
 
 use crate::context::Context;
@@ -314,7 +313,7 @@ impl DcSecretKey for SignedSecretKey {
     fn split_public_key(&self) -> Result<SignedPublicKey> {
         self.verify()?;
         let unsigned_pubkey = self.public_key();
-        let mut rng = thread_rng();
+        let mut rng = rand_old::thread_rng();
         let signed_pubkey = unsigned_pubkey.sign(
             &mut rng,
             &self.primary_key,
diff --git a/src/mimefactory.rs b/src/mimefactory.rs
index a0517979b..ac84bb4f1 100644
--- a/src/mimefactory.rs
+++ b/src/mimefactory.rs
@@ -11,7 +11,6 @@ use iroh_gossip::proto::TopicId;
 use mail_builder::headers::HeaderType;
 use mail_builder::headers::address::{Address, EmailAddress};
 use mail_builder::mime::MimePart;
-use rand::Rng as _;
 use tokio::fs;
 
 use crate::aheader::{Aheader, EncryptPreference};
@@ -1015,7 +1014,7 @@ impl MimeFactory {
                 //
                 // and the explanation page says
                 // "The time information deviates too much from the actual time".
-                let timestamp_offset = rand::thread_rng().gen_range(0..1000000);
+                let timestamp_offset = rand::random_range(0..1000000);
                 let protected_timestamp = self.timestamp.saturating_sub(timestamp_offset);
                 let unprotected_date =
                     chrono::DateTime::<chrono::Utc>::from_timestamp(protected_timestamp, 0)
diff --git a/src/peer_channels.rs b/src/peer_channels.rs
index a8797f886..d12d7d7f2 100644
--- a/src/peer_channels.rs
+++ b/src/peer_channels.rs
@@ -235,7 +235,7 @@ impl Context {
     /// Create iroh endpoint and gossip.
     async fn init_peer_channels(&self) -> Result<Iroh> {
         info!(self, "Initializing peer channels.");
-        let secret_key = SecretKey::generate(rand::rngs::OsRng);
+        let secret_key = SecretKey::generate(rand_old::rngs::OsRng);
         let public_key = secret_key.public();
 
         let relay_mode = if let Some(relay_url) = self
diff --git a/src/pgp.rs b/src/pgp.rs
index 86d39aeb1..b97889936 100644
--- a/src/pgp.rs
+++ b/src/pgp.rs
@@ -17,7 +17,7 @@ use pgp::crypto::hash::HashAlgorithm;
 use pgp::crypto::sym::SymmetricKeyAlgorithm;
 use pgp::packet::{SignatureConfig, SignatureType, Subpacket, SubpacketData};
 use pgp::types::{CompressionAlgorithm, KeyDetails, Password, PublicKeyTrait, StringToKey};
-use rand::thread_rng;
+use rand_old::thread_rng;
 use tokio::runtime::Handle;
 
 use crate::key::{DcKey, Fingerprint};
diff --git a/src/push.rs b/src/push.rs
index 8b4bcc3ca..a16f946da 100644
--- a/src/push.rs
+++ b/src/push.rs
@@ -13,7 +13,6 @@ use anyhow::{Context as _, Result};
 use base64::Engine as _;
 use pgp::crypto::aead::{AeadAlgorithm, ChunkSize};
 use pgp::crypto::sym::SymmetricKeyAlgorithm;
-use rand::thread_rng;
 use tokio::sync::RwLock;
 
 use crate::context::Context;
@@ -80,8 +79,7 @@ pub(crate) fn encrypt_device_token(device_token: &str) -> Result<String> {
         .first()
         .context("No encryption subkey found")?;
     let padded_device_token = pad_device_token(device_token);
-    let mut rng = thread_rng();
-
+    let mut rng = rand_old::thread_rng();
     let mut msg = pgp::composed::MessageBuilder::from_bytes("", padded_device_token).seipd_v2(
         &mut rng,
         SymmetricKeyAlgorithm::AES128,
diff --git a/src/receive_imf/receive_imf_tests.rs b/src/receive_imf/receive_imf_tests.rs
index f70c9fc81..ddd36ddc3 100644
--- a/src/receive_imf/receive_imf_tests.rs
+++ b/src/receive_imf/receive_imf_tests.rs
@@ -4339,8 +4339,8 @@ async fn test_download_later() -> Result<()> {
     let bob_chat = bob.create_chat(&alice).await;
 
     // Generate a random string so OpenPGP does not compress it.
-    let text: String = rand::thread_rng()
-        .sample_iter(&rand::distributions::Alphanumeric)
+    let text: String = rand::rng()
+        .sample_iter(&rand::distr::Alphanumeric)
         .take(MIN_DOWNLOAD_LIMIT as usize)
         .map(char::from)
         .collect();
diff --git a/src/scheduler.rs b/src/scheduler.rs
index ed8678332..a778e4fe7 100644
--- a/src/scheduler.rs
+++ b/src/scheduler.rs
@@ -7,7 +7,6 @@ use anyhow::{Context as _, Error, Result, bail};
 use async_channel::{self as channel, Receiver, Sender};
 use futures::future::try_join_all;
 use futures_lite::FutureExt;
-use rand::Rng;
 use tokio::sync::{RwLock, oneshot};
 use tokio::task;
 use tokio_util::sync::CancellationToken;
@@ -831,7 +830,7 @@ async fn smtp_loop(
                 let slept = time_elapsed(&now).as_secs();
                 timeout = Some(cmp::max(
                     t,
-                    slept.saturating_add(rand::thread_rng().gen_range((slept / 2)..=slept)),
+                    slept.saturating_add(rand::random_range((slept / 2)..=slept)),
                 ));
             } else {
                 info!(ctx, "SMTP has no messages to retry, waiting for interrupt.");
diff --git a/src/test_utils.rs b/src/test_utils.rs
index 91904333a..d7ca71156 100644
--- a/src/test_utils.rs
+++ b/src/test_utils.rs
@@ -15,7 +15,6 @@ use chat::ChatItem;
 use deltachat_contact_tools::{ContactAddress, EmailAddress};
 use nu_ansi_term::Color;
 use pretty_assertions::assert_eq;
-use rand::Rng;
 use tempfile::{TempDir, tempdir};
 use tokio::runtime::Handle;
 use tokio::{fs, task};
@@ -494,7 +493,7 @@ impl TestContext {
     async fn new_internal(name: Option<String>, log_sink: Option<LogSink>) -> Self {
         let dir = tempdir().unwrap();
         let dbfile = dir.path().join("db.sqlite");
-        let id = rand::thread_rng().r#gen();
+        let id = rand::random();
         if let Some(name) = name {
             let mut context_names = CONTEXT_NAMES.write().unwrap();
             context_names.insert(id, name);
diff --git a/src/tools.rs b/src/tools.rs
index e7dc108cf..115b1d684 100644
--- a/src/tools.rs
+++ b/src/tools.rs
@@ -32,7 +32,7 @@ use mailparse::MailHeaderMap;
 use mailparse::dateparse;
 use mailparse::headers::Headers;
 use num_traits::PrimInt;
-use rand::{Rng, thread_rng};
+use rand::Rng;
 use tokio::{fs, io};
 use url::Url;
 use uuid::Uuid;
@@ -291,7 +291,7 @@ async fn maybe_warn_on_outdated(context: &Context, now: i64, approx_compile_time
 /// and divides both by 8 (byte size) and 6 (number of bits in a single Base64 character).
 pub(crate) fn create_id() -> String {
     // ThreadRng implements CryptoRng trait and is supposed to be cryptographically secure.
-    let mut rng = thread_rng();
+    let mut rng = rand::rng();
 
     // Generate 144 random bits.
     let mut arr = [0u8; 18];