Cyber Incident Victim: US municipal government
Date:
Nov 2025
Location:
United States of America
Summary
TeleMessage suspended all services after hackers claimed to have breached its servers and downloaded files, prompting an investigation by its owner Smarsh and the engagement of an external cybersecurity firm. The breach led to precautionary suspensions by Customs and Border Protection and raised concerns about the security of government communications, as several federal agencies have contracts with the app. Hackers provided evidence including a screenshot of Coinbase employee contacts, which Coinbase confirmed was authentic but said no customer data was compromised.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
TeleMessage, the messaging application used by former national security adviser Mike Waltz to archive group chats, suspended all of its services after a potential security incident was detected on May 1, 2025. A spokesperson for Smarsh, the parent company of TeleMessage, told NBC News that the company had acted quickly to contain the issue and had engaged an external cybersecurity firm to support the investigation. Following the detection, Customs and Border Protection, a component of the Department of Homeland Security, disabled TeleMessage as a precautionary measure, with a DHS spokesperson confirming that the investigation into the scope of the breach was ongoing. The suspension was described as an abundance of caution while the company worked to understand what data might have been compromised.
TeleMessage markets itself as an encrypted messaging tool similar to Signal but with added capabilities for backing up chats to meet compliance requirements for government agencies and private companies. The app came under public scrutiny after Waltz was seen using it during a Cabinet meeting, which revived concerns about the security of his communication methods that had first been raised during the “Signalgate” incident where he inadvertently invited a journalist into a Signal chat planning military strikes on the Houthis in Yemen. Federal officials are generally expected to use highly monitored intranet systems that are isolated from the broader internet for sensitive military planning, yet the use of encrypted apps like TeleMessage has grown in recent years, creating a tension between the need for secrecy and legal obligations to retain correspondence. Government records reviewed by NBC News indicated that several agencies, including the Department of Homeland Security, the Department of Health and Human Services, the Treasury Department, and the U.S. International Development Finance Corporation, maintained active contracts for TeleMessage services.
On the evening of April 27, 2025, a hacker who spoke to NBC News claimed to have broken into a centralized TeleMessage server and downloaded a large cache of files, providing a screenshot of the app’s contact list showing Coinbase employees as evidence. A Coinbase spokesperson verified the screenshot’s authenticity but emphasized that Coinbase itself had not been hacked and that no customer data had been affected, noting that the company does not use TeleMessage to share passwords, seed phrases, or other account‑access information. The hacker said they had not yet fully examined the stolen files and could not confirm whether the data included sensitive conversations from U.S. government officials. A separate hacker later told 404 Media that they had also compromised TeleMessage and possessed significant evidence, although NBC News had not interacted with that source. At the time of reporting, it remained unclear whether additional attackers had accessed TeleMessage’s systems, and the investigation into the breach’s full extent continued.