A cloned version of the Signal app used by U.S. government agencies — including members of the Trump administration — was hacked in under 30 minutes, exposing archived messages from agencies like Customs and Border Protection (CBP), financial institutions, and others.
The compromised tool is a modified Signal client developed by TeleMessage, an Israeli firm that sells tailored versions of encrypted messaging apps to government and corporate clients. These custom versions allow institutions to comply with legal archiving requirements by silently capturing message contents — normally protected by end-to-end encryption — and routing them to external storage systems. The company's flagship clone, branded internally as “TM SGNL,” was spotted in use by former National Security Adviser Mike Waltz during a recent cabinet meeting with President Trump. A Reuters photograph clearly showed the interface, revealing message threads with high-profile political figures including JD Vance, Marco Rubio, and Tulsi Gabbard.
While the original Signal app is widely lauded for its robust security model, TeleMessage's version introduces a silent third-party participant to message threads for archiving purposes. In theory, this allows institutions to retain full chat histories without undermining the app's encryption. However, 404 Media's investigation reveals that, in practice, the implementation leaves a major gap: the communication path from the modified app to the storage endpoint is not fully end-to-end encrypted. This vulnerability allowed an unnamed hacker to extract significant troves of archived chat data with little effort.
According to 404 Media, the breach included internal communications from CBP, the cryptocurrency exchange Coinbase, and multiple unnamed financial institutions. While no cabinet-level messages were recovered, the compromise demonstrates that any user employing the TM SGNL client could have their conversations exposed if the archived data is not properly encrypted or segregated.
The attacker told 404 Media that he breached TeleMessage's system within 15 to 20 minutes of becoming curious about the product, following earlier media reports. He claimed that the vulnerable archive endpoints were hosted on Amazon Web Services (AWS) in Northern Virginia and were trivially accessible. Source code from the modified app, obtained and reviewed by security professionals, confirmed the AWS infrastructure and revealed no significant hardening or isolation to prevent unauthorized access. The hacker did not notify TeleMessage prior to publication, citing concerns the company would attempt a cover-up.
TeleMessage, which maintains contracts with several U.S. agencies including the State Department and the Centers for Disease Control and Prevention, has declined to comment on the breach. The company markets its services as a compliant way for government and enterprise clients to log encrypted communications from platforms like Signal, WhatsApp, Telegram, and WeChat. However, this breach challenges the firm's security claims and raises broader concerns about the risks introduced by such “compliant” surveillance tooling.
The incident also echoes a recent operational failure in March, when a Trump administration group chat on the official Signal app discussing a military strike in Yemen accidentally included a journalist. That earlier event highlighted not technical shortcomings, but poor communication hygiene and an overreliance on consumer apps for highly sensitive government operations. In contrast, the TeleMessage breach underscores what can happen when third-party vendors modify secure platforms without matching the original developer's security standards.
It is generally recommended to avoid using forked or modified secure messaging apps unless those changes have undergone independent, third-party security audits. Communications involving sensitive or classified material should remain on platforms specifically cleared for that purpose, such as SIPRNet or other government-isolated systems.
Leave a Reply