Cyber Incident Victim: US municipal government
Date:
May 2025
Location:
United States of America
Summary
A messaging application utilized by a former U.S. official and multiple government agencies suspended services following claims by hackers who breached its centralized server and stole files, prompting an ongoing investigation. The app, designed to archive encrypted communications for compliance, was temporarily disabled by federal entities including Customs and Border Protection as a precautionary measure. Hackers provided evidence of accessing internal data from a cryptocurrency firm, though no customer account compromises were confirmed. Several U.S. government departments had active contracts with the service, but the extent of sensitive government data exposure remains unclear as attackers continue reviewing the stolen cache.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In May 2025, TeleMessage—a messaging application used by U.S. government officials including former national security adviser Mike Waltz—suspended all services following claims by hackers that they breached its systems. Smarsh, TeleMessage’s parent company, confirmed it was investigating a potential security incident, engaging an external cybersecurity firm and temporarily halting operations as a precaution. The breach gained public attention after Waltz’s visible use of the app during a Cabinet meeting reignited concerns about communication security, recalling prior incidents like the "Signalgate" controversy where sensitive military planning discussions were inadvertently exposed. Customs and Border Protection (CBP), a Department of Homeland Security component, immediately disabled TeleMessage upon detecting the cyber incident, though the scope of the breach remained under investigation. TeleMessage differentiated itself from apps like Signal by offering encrypted messaging alongside centralized chat backups for compliance, a feature marketed to government and corporate clients but later criticized for creating archival vulnerabilities.
Hackers contacted NBC News on Sunday evening, claiming to have infiltrated a centralized TeleMessage server and exfiltrated a large cache of files. As evidence, they provided a screenshot of TeleMessage’s internal contact list for Coinbase employees, which the cryptocurrency broker confirmed as authentic but clarified no customer data or account credentials were compromised. The hackers had not yet fully reviewed the stolen data, leaving uncertainty about whether U.S. government communications—including sensitive discussions—were accessed. Government procurement records reviewed by NBC News revealed active contracts for TeleMessage services with multiple agencies, including DHS, Health and Human Services, Treasury, and the U.S. International Development Finance Corp. A separate hacker independently told tech outlet 404 Media they had also breached TeleMessage, though NBC News did not verify this claim. The incident highlighted tensions between encrypted messaging’s secrecy benefits and legal mandates for record retention, with centralized archives presenting inherent risks of becoming high-value targets for cyber intrusions.