Cyber Incident Victim: United States government
Date:
Apr 2025
Location:
United States of America
Summary
The United States government’s use of the encrypted messaging app TeleMessage came under scrutiny after officials including former national security adviser Mike Waltz were seen using the service, prompting the app’s owner to suspend all services while investigating a claimed breach in which hackers said they accessed a central server and obtained files such as a Coinbase employee contact list. Customs and Border Protection and other agencies paused or reviewed their use of TeleMessage as a precaution, and the hacker provided evidence that did not appear to include sensitive government communications, though the full scope remains under review by an external cybersecurity firm.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On May 1, 2025, TeleMessage announced the suspension of all its services after a spokesperson for its parent company Smarsh said the firm was investigating a potential security incident and had acted quickly to contain it while engaging an external cybersecurity firm. Smarsh stated that, out of an abundance of caution, all TeleMessage services were temporarily suspended pending the outcome of the investigation. The Department of Homeland Security’s Customs and Border Protection confirmed it had disabled TeleMessage as a precautionary measure following the detection of a cyber incident, noting that the investigation into the scope of the breach was ongoing. These actions were taken after the app had drawn public attention due to its use by former National Security Adviser Mike Waltz during a Cabinet meeting.
TeleMessage provides encryption similar to Signal but also offers government agencies and companies a way to back up copies of chats for compliance purposes. The app first came under scrutiny after Waltz appeared to be using it during a Cabinet meeting, which revived concerns about the security of his communication methods that had been highlighted by the earlier Signalgate incident where he inadvertently added a journalist to a Signal chat planning military strikes on the Houthis in Yemen. Officials are expected to use highly monitored intranet systems that are almost entirely closed off from the rest of the digital world for sensitive military planning. The use of encrypted messaging apps in the U.S. government has grown significantly in recent years, but it poses a problem for officials subject to laws that require them to save their correspondence — creating a tension between the need for secrecy and archiving. Government records reviewed by NBC News show that several agencies, including the Department of Homeland Security, the Department of Health and Human Services, the Treasury Department and the United States International Development Finance Corporation, have active contracts for TeleMessage services.
On Sunday evening, a hacker who spoke to NBC News claimed to have infiltrated a centralized TeleMessage server and exfiltrated a large cache of files, providing a screenshot of the app’s employee contact list for the cryptocurrency firm Coinbase as evidence. A Coinbase spokesperson verified the screenshot’s authenticity but emphasized that Coinbase itself had not been hacked and that no customer data had been accessed, noting that the service is not used to share passwords, seed phrases or other account‑access information. The hacker told NBC News they had not yet fully examined the stolen files and could not confirm whether the material included sensitive conversations involving the U.S. government. A separate individual who spoke to 404 Media also asserted they had compromised TeleMessage and supplied substantial proof, although NBC News has not interacted with that source, and it remains unknown whether additional actors have gained access to the system.