The repercussions for TeleMessage, an Israeli firm providing a modified Signal messaging app named TM SGNL to clients including Trump administration officials, are escalating.
Smarsh, its parent company, has taken the drastic step of suspending all TeleMessage services. This follows damning revelations that the app grants TeleMessage unfettered access to users’ plaintext chat logs, a design that fundamentally betrays Signal’s core promise of end-to-end encryption.
The disclosures have prompted U.S. Senator Ron Wyden to call for an immediate Department of Justice investigation, citing grave U.S. national security concerns and potential violations of the False Claims Act due to misleading marketing.
How TM SGNL’s Architecture Undermines Encryption
At the center of this security debacle is the TM SGNL application’s architecture. Security researcher Micah Lee, in a comprehensive technical analysis meticulously details how the app operates.
Lee examined the Android source code, which TeleMessage had made publicly available under a GNU Affero General Public License v3.0 (AGPLv3). This license, as Lee noted, grants anyone the right to “access, analyze, reverse engineer, and pretty much do anything else we wish to with the code.”
His findings were stark: despite TeleMessage’s marketing claims of “End-to-End encryption from the mobile phone through to the corporate archive,” the reality is far different.
The TM SGNL app intercepts messages after they have been decrypted on the user’s device. These plaintext communications are then transmitted to TeleMessage’s own archive server, located at https://archive.telemessage.com and hosted within Amazon Web Services’ Northern Virginia data center—a location Lee points out is “not an approved place to store classified information.”
Only after residing on this intermediary server are the messages routed to a customer’s designated storage. “TM SGNL completely breaks this security,” Lee wrote. “The communication between the TM SGNL app and the final archive destination is not end-to-end encrypted.”
This is further corroborated by Microsoft’s own documentation for its Purview compliance service, which details its system connecting to TeleMessage’s site to retrieve archived messages.
Lee’s analysis of the TM SGNL Android source code reveals a step-by-step process. When the app starts, the `TeleMessageApplicationDependencyProvider` initializes the SDK and adds the `ArchiveMessagesProcessor` as a hook. This processor monitors the local `SignalDatabase` (Signal’s SQLite database on the device).
When messages are created or modified, `ArchiveMessagesProcessor.processAfterMessageStateChanged` is triggered, which in turn calls `DataGrabber.setMessage`.
The `DataGrabber` component then saves the message to a separate staging database on the device and initiates the `SyncAdapter`. The `SyncAdapter`, an Android background service, queries this staging database for messages with a status of `WaitingToBeDelivered`.
If such messages exist, they are passed to `NetworkManager.start`. Finally, the `NetworkManager` makes an HTTP POST request, sending the plaintext message data to the API endpoint `https://archive.telemessage.com/api/rest/archive/telemessageincomingmessage/`.
Lee also observed that the iOS source code provided by TeleMessage appeared to be largely unmodified Signal code, raising questions about the specific archival mechanism on that platform. A critical point Lee makes is that TM SGNL is interoperable with the standard Signal app, meaning “If you’re a Signal user, you have no way of knowing when you’re talking to a TM SGNL user.”
Hackers Breach TeleMessage, Confirming Plaintext Exposure
The technical vulnerabilities identified by Lee were dramatically confirmed by at least two separate hacking incidents. An anonymous hacker contacted Lee around May 3-4, claiming to have breached TeleMessage’s systems.
This individual told 404 Media that the intrusion “wasn’t much effort at all,” estimating it took “about 15-20 minutes.” The hacker provided Lee with data snapshots from TeleMessage’s servers, which, as Lee detailed, included plaintext Signal messages (such as one to a group named “Upstanding Citizens Brigade” dated May 4, containing a link to a tweet about President Trump), plaintext Telegram messages (one apparently from a Coinbase employee containing a link to a SendSafely document), and plaintext WhatsApp messages (one to a group named “Yenta AF”).
Lee also found an example of an encrypted WhatsApp message, indicating not all data was uniformly handled, and private key material. While this first hacker clarified to 404 Media that they did not access messages belonging to cabinet members or Rep. Mike Waltz, their actions unequivocally demonstrated the plaintext accessibility.
Subsequently, NBC News reported that TeleMessage had suspended its services after a second hacker breached the company. This second individual provided NBC News with a screenshot of TeleMessage’s contact list for Coinbase employees as evidence of their access.
In response to these events, Smarsh, TeleMessage’s parent company, confirmed the service suspension to BleepingComputer, with a spokesperson stating, “Upon detection, we acted quickly to contain it and engaged an external cybersecurity firm to support our investigation.” Further indicating the company’s attempts at damage control, much of the content on TeleMessage’s website, including service details and app download links, was removed following the public disclosures.
National Security Alarms and a Precedent of Risky Communications
The use of TM SGNL by prominent figures such as Rep. Mike Waltz—whose use was inadvertently spotted in a Reuters photo around May 1-2—and potentially other officials including JD Vance, John Ratcliffe, Marco Rubio, Pete Hegseth, Stephen Miller, and Tulsi Gabbard, has triggered significant national security alarms.
Compounding these concerns is TeleMessage’s Israeli origin and the background of its founder and CEO, Guy Levit, who, according to his now-removed company bio, previously “served as the head of the planning and development of one of the IDF’s Intelligence elite technical units.”
Senator Wyden’s May 6 letter to Attorney General Pam Bondi was explicit in its demands, urging the DOJ to investigate “the counterintelligence threat posed by TeleMessage, to determine the extent to which foreign employees of the company have access to the messages of government users, whether the company has shared U.S. government communications with the Israeli government, and whether the Israeli government played any role in the product’s dangerous design.”
Wyden also highlighted a statement from a Smarsh executive to the New York Times, who had claimed information was not decrypted by TeleMessage during collection or transit to its archive—a claim Wyden flatly called “plainly false” based on Lee’s research. Lee himself commented on the situation, stating, “But the fact that they designed their archiving system to not be end-to-end encrypted, and that they lie about it, is quite a big red flag.”
This current controversy appears to be an outgrowth of an earlier incident in March, when many of the same officials faced public and congressional criticism for using the standard, unmodified Signal app to discuss sensitive military operations related to Yemen within a group chat known as the “Houthi PC small group.”
That episode underscored the inherent unsuitability of consumer messaging applications for official, potentially classified, government communications, likely prompting the search for what was perceived as a compliant archiving solution—a role TM SGNL was marketed to fill, as detailed in our report on the initial hack.
A Signal spokesperson has consistently reiterated to media outlets that the company “cannot guarantee the privacy or security properties of unofficial versions of Signal,” while the White House has previously indicated that the standard Signal application is approved for government use. The core issue, therefore, seems to lie specifically with TeleMessage’s modifications and its misleading representations.
The potential impact extends beyond these political figures; public procurement records indicate TeleMessage holds contracts with various U.S. government agencies, including U.S. Customs and Border Protection, the State Department, and the Centers for Disease Control and Prevention.
One notable active contract with the Department of Homeland Security and FEMA, for mobile electronic message archiving, is valued at $2.1 million and is set to run through August 2025. Financial institutions such as Scotiabank were also reportedly among the clients whose data was exposed in the breaches.
