Cyber Incident Victim: TeleMessage
Date:
Nov 2025
Location:
United States of America
Summary
TeleMessage suspended all services after hackers claimed to have accessed its servers and downloaded files, prompting the owner Smarsh to launch an investigation with an external cybersecurity firm. The suspension led agencies such as Customs and Border Protection to disable the app as a precaution, while a hacker provided a screenshot showing Coinbase employee contacts, which Coinbase confirmed was authentic but said no customer data was compromised. Multiple government departments have contracts with the service, and it remains unclear whether any sensitive official communications were among the accessed files.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
TeleMessage suspended all of its services on May 1 2025 after its owner, Smarsh, announced that it was investigating a potential security incident and had engaged an external cybersecurity firm to assist. Smarsh’s spokesperson said the company acted quickly to contain the issue and, out of an abundance of caution, took the precaution of shutting down the platform entirely. The suspension followed a claim by a hacker who told NBC News that they had broken into a centralized TeleMessage server and downloaded a large cache of files, providing a screenshot of the app’s contact list for employees at the cryptocurrency broker Coinbase as evidence. A Coinbase spokesperson confirmed the screenshot’s authenticity but stressed that Coinbase itself had not been hacked and that none of its customers’ data had been affected, noting that the tool is not used to share passwords, seed phrases or other account‑access information.
TeleMessage markets itself as an encrypted messaging app that also provides archiving capabilities for compliance, a feature that drew attention after former national security adviser Mike Waltz was seen using it during a Cabinet meeting. His use revived concerns stemming from the earlier “Signalgate” incident in which he inadvertently invited a journalist into a Signal chat discussing military strikes on the Houthis in Yemen. The app’s encryption details are not fully disclosed, and while Signal is widely praised by experts, the federal government relies on highly monitored intranet systems for sensitive communications. Government records reviewed by NBC News indicate that several agencies, including the Department of Homeland Security, the Department of Health and Human Services, the Treasury Department and the U.S. International Development Finance Corporation, have active contracts to use TeleMessage or similar services for archiving purposes.
In addition to the NBC News‑cited hacker, a separate individual told the tech outlet 404 Media that they had also compromised TeleMessage and supplied significant evidence, though NBC News has not interacted with that source. The hacker who spoke to NBC News said they had not yet fully examined the stolen files and it remains unclear whether the data includes any sensitive U.S. government conversations. Customs and Border Protection, citing the detection of a cyber incident, immediately disabled TeleMessage as a precautionary measure, with a DHS spokesperson confirming that the investigation into the breach’s scope is ongoing. No further details about additional attackers or the exact volume of data exfiltrated have been made public.