On Tuesday a Senator demanded the Department of Justice investigate “the serious threat to U.S. national security” posed by TeleMessage, a company that makes aa Signal clone used by the Trump administration which 404 Media revealed was hacked on Sunday, with the hacker obtaining the content of some users’ messages and group chats.
The news is the latest piece of fallout from the TeleMessage hack and the Trump administration’s use of Signal, or insecure modified versions, more broadly. On Monday NBC News reported that another hacker had targeted the same company, and TeleMessage suspended service in response to the breaches.
“Communications from several federal agencies, including the most senior national security officials, have been recklessly entrusted to TeleMessage, a foreign company that purports to offer agencies a secure tool to archive messages sent using Signal, the popular secure messaging app,” Senator Ron Wyden’s letter reads. The Washington Post first reported the existence of the letter.
“It would be hard to imagine a less secure way for U.S. government agencies to retain employee messages than decrypting, copying to, and processing those messages on a poorly secured server operated by a foreign company,” the letter adds. TeleMessage is an Israeli company that was acquired by Portland, Oregon company Smarsh in 2024.
TeleMessage makes modified versions of Signal and other communication apps like WhatsApp and Telegram and adds an archiving feature to them which copies messages sent across the service. This can be a useful, or sometimes legally necessary, service for government agencies and regulated industries like financial institutions. Adding that archive capability, however, undermines the security of robustly encrypted messaging apps like Signal and introduces significant risk. As 404 Media’s reporting on the hack shows, those threats are far from theoretical and very much real.
The hacker provided 404 Media with some TeleMessage users’ message contents; the names and contact information for government officials; usernames and passwords for other parts of TeleMessage’s infrastructure; and screenshots that indicated what companies or agencies may also be TeleMessage customers. The hacker said “the whole process took about 15-20 minutes.”
In a New York Times article before 404 Media broke news of the hack, Tom Padgett, the president of Smarsh’s enterprise business, said “we do not de-encrypt,” meaning messages weren’t decrypted while being collected for archiving, the letter says.
“These claims are plainly false,” the letter adds. 404 Media’s coverage found that some archived Signal messages were in plaintext, meaning they were not encrypted and were obtained by the hacker.
Government agencies using TeleMessage “have given their users something that looks and feels like Signal, the most widely trusted secure communications app. But instead, senior government officials have been provided with a shoddy Signal knockoff that poses a number of serious security and counterintelligence threats,” the letter says.
“It remains unclear whether the design of this system was merely the result of incompetence on the part of the foreign company, whose senior leadership are former intelligence officers, or a backdoor designed to facilitate foreign intelligence collection against U.S. government officials. Regardless, TeleMessage’s dangerously insecure design should have been discovered long before the company’s app was installed on the phone of the President’s national security advisor and, presumably, other senior White House officials,” it continues. The TeleMessage episode started when Reuters photographed then-U.S. National Security Advisor Mike Waltz using TeleMessage’s version of Signal, 404 Media first reported.
The letter then directly urges the Department of Justice to investigate, saying TeleMessage appears to have misled the federal government about the security of its products by claiming to provide end-to-end encryption when it does not; and for an investigation into the counterintelligence threat posed by the company, including “whether the company has shared U.S. government communications with the Israeli government, and whether the Israeli government played any role in the product’s dangerous design.”
Smarsh did not immediately respond to a request for comment.
A copy of an Smarsh FAQ sent to customers obtained by 404 Media says “it is not possible to register new users. Users that were logged out for their Apps will not be able to login again.”
