TeleMessage, the Israeli software firm recently identified as the provider of a modified Signal messaging app used within the Trump administration, has suffered a significant security breach, a hacker revealed.
The attacker reportedly infiltrated the company’s systems in under 30 minutes, accessing stored communications from clients including U.S. Customs and Border Protection (CBP) and cryptocurrency firm Coinbase, according to reporting by 404 Media citing evidence provided by the attacker.
The hacker claims to have used login credentials found in intercepted data, potentially facilitated by vulnerabilities like hardcoded credentials discovered in the app’s source code just days before the hack became public.
The attacker told 404 Media the breach “wasn’t much effort at all,” adding, “If I could have found this in less than 30 minutes then anybody else could too. And who knows how long it’s been vulnerable?”
They reportedly chose not to inform TeleMessage beforehand, being “worried the company might try to cover it up.” Data exfiltrated included archived message content from TeleMessage’s modified versions of Signal (known as TM SGNL), WhatsApp, Telegram, and WeChat, alongside backend system details.
While the hacker shared snippets apparently showing Democratic lawmakers discussing cryptocurrency, they did not claim to have accessed communications belonging to former National Security Advisor Mike Waltz or other officials like JD Vance or Marco Rubio that have already been revealed. TeleMessage CEO Guy Levit, whose background includes time in an IDF Intelligence unit, declined to comment on the reports.
Archiving Apps and Security Trade-offs
TeleMessage, acquired by U.S. compliance technology firm Smarsh on February 20 and now rebranding its product as “Capture Mobile,” modifies popular messaging apps to enable communication archiving for regulatory needs, such as meeting U.S. federal record-keeping laws. Its core offering involves creating modified “clones” of popular messaging apps.
These modified clients intercept or copy plaintext messages at the user’s device endpoint, sending them to an external archive – potentially Microsoft 365 (including government cloud instances), email servers (SMTP), or file servers (SFTP), according to company documentation analyzed by security researcher Micah Lee.
A promotional video, now set as private on YouTube, claims the TM SGNL app keeps Signal’s security “intact when communicating with other Signal users,” but clarifies, “The only difference is the TeleMessage version captures all incoming and outgoing Signal messages for archiving purposes.”
This process, designed for compliance, inherently bypasses the standard end-to-end encryption (E2EE) that normally protects messages in transit on platforms like Signal by creating an accessible copy of the plaintext messages. The hack proved this archived data was vulnerable.
A Signal spokesperson commented on such third-party modifications, stating the company “cannot guarantee the privacy or security properties of unofficial versions of Signal.”
The use of TM SGNL by Waltz was revealed in a May 1 Reuters photo via its unique “TM SGNL PIN” prompt. This discovery followed earlier controversies in March 2025 where Waltz and other officials faced criticism for using the standard Signal app for sensitive military planning discussions, raising questions about compliance and protocol adherence.
The adoption of TM SGNL likely represented an attempt to address the record-keeping mandate highlighted by the March incident, but its implementation introduced critical security failures.
Source Code Discovery Preceded Hack Report
The hacker’s claim of easy access aligns with findings published by researcher Micah Lee on May 3. Lee discovered publicly accessible download links for the TM SGNL Android and iOS source code on TeleMessage’s own website (`Signal.zip` and `Signal-iOS-main.zip`).
His analysis revealed the Android source code contained “hardcoded credentials and other vulnerabilities,” a critical security lapse. This finding, made just before the hack was reported, provides a plausible explanation for the rapid system compromise. The code, licensed under AGPL v3 which mandates source availability, also contained a Git history pointing to a private Israeli GitLab server (`TMGitlab.telemessage.co.il`).
A History of Risky Workarounds
This incident is not the first time government officials’ use of non-standard messaging tools for sensitive communications has led to security issues. In 2017, the Confide app, also reportedly used within the Trump administration and marketed for its security, was found to possess serious flaws.
The TeleMessage breach serves as another example of the risks involved when compliance or convenience leads to the use of modified consumer apps or third-party services that may not meet the stringent security standards of official government systems like SIPRNet, especially when handling sensitive, albeit perhaps not formally classified, information.
With TeleMessage holding contracts with multiple U.S. agencies, including the State Department and CDC (as indicated by a specific $90,000 contract from December 2024 for Signal/WhatsApp archiving licenses), the implications of this breach extend beyond the immediate political sphere, highlighting systemic risks in third-party compliance solutions.
