A modified version of the encrypted messaging app Signal, used by Trump administration officials, was compromised in a hack targeting TeleMessage, the Israeli company that developed the unofficial archiving tool. The breach exposed archived messages and backend systems, raising serious concerns about the security of sensitive government communications1.
Summary for Security Leadership
The unofficial Signal variant, branded as TM SGNL, was distributed via enterprise mobile device management systems and used by former National Security Advisor Mike Waltz among others. The breach occurred through TeleMessage’s infrastructure, which archives messages by bypassing Signal’s end-to-end encryption through SMTP/Microsoft 365 or SFTP storage4. Services were suspended following the discovery of the intrusion, which reportedly took less than 30 minutes to execute5.
- Affected Systems: TM SGNL backend servers, archived messages stored in AWS/Azure
- Exposed Data: Government communications, CBP records, financial institution data
- Technical Flaws: Hardcoded credentials, AGPL license violations, unencrypted message storage
- Threat Actor Access: Direct messages and group chats archived by the system
Technical Analysis of the Breach
The TM SGNL application violated Signal’s AGPL open-source license by failing to release its modified code, a requirement for any derivative works5. Forensic analysis revealed that the app was distributed through Apple Business Manager and Google Enterprise programs, indicating managed device deployment for government users. Message archives were stored either in cloud providers (AWS/Azure) or routed to email servers, completely circumventing Signal’s encryption model5.
404 Media’s investigation uncovered that the hacker obtained backend access to systems containing data from Customs and Border Protection (CBP), Coinbase, and multiple financial institutions4. The breach methodology hasn’t been fully disclosed, but analysis of leaked source code revealed hardcoded credentials and multiple security flaws that likely facilitated the intrusion6.
Security Implications and Response
This incident highlights critical vulnerabilities in third-party messaging solutions used for sensitive communications. The archiving mechanism fundamentally breaks Signal’s security model by storing messages in cleartext. TeleMessage parent company Smarsh suspended all services “out of an abundance of caution” following the breach disclosure2.
Micah Lee’s technical assessment notes that TM SGNL’s architecture creates multiple attack surfaces: the modified client application, the archiving servers, and the storage systems holding message copies5. Any compromise in this chain exposes what would otherwise be protected by Signal’s end-to-end encryption. The use of enterprise distribution channels also suggests potential device management risks if provisioning systems were compromised.
Recommendations for Enterprise Security
Organizations handling sensitive communications should implement several protective measures:
| Risk Area | Mitigation Strategy |
|---|---|
| Third-party messaging tools | Full security audits before deployment, verification of open-source compliance |
| Message archiving | Encrypted storage with strict access controls, regular penetration testing |
| Enterprise app distribution | Hardened MDM systems, code signing verification |
The breach underscores the importance of vetting all communication tools used for official business, particularly those handling classified or sensitive information. While messaging archiving may be legally required for some organizations, the security implications of specific implementations must be thoroughly evaluated.
Conclusion
The TeleMessage breach demonstrates how third-party modifications to secure applications can introduce critical vulnerabilities. The incident raises questions about government procurement processes for communication tools and highlights the risks of relying on unvetted commercial solutions for sensitive discussions. Future security evaluations of similar tools should include thorough code audits, architecture reviews, and verification of encryption implementations.
References
- “Unofficial Signal app used by Trump officials investigates hack,” BleepingComputer, May 5, 2025.
- “Tech site 404 Media says Signal-like app used by Trump adviser was hacked,” Reuters, May 5, 2025.
- “Mike Waltz app Trump,” The Guardian, May 5, 2025.
- “The Signal Clone the Trump Admin Uses Was Hacked,” 404 Media, May 5, 2025.
- “TM SGNL: The Obscure Unofficial Signal App Mike Waltz Uses to Text With Trump Officials,” Micah Lee’s Blog, May 5, 2025.
- “Here’s the source code for the unofficial Signal,” Reddit, May 5, 2025.
