In one of 2025’s most alarming security breaches, a modified clone of the Signal app, known as “TM SGNL,” compromised sensitive government communications and exposed deep vulnerabilities in the use of foreign-built tech.
The clone, developed by Israeli tech firm TeleMessage and acquired by Smarsh in 2024, was intended to archive encrypted communications for compliance purposes.
Instead, it introduced serious vulnerabilities that were exploited by hackers, exposing sensitive government communications and raising concerns about foreign software vendors and operational security.
TM SGNL Security Breach: Key Events & Timeline
February 2024
- The US-based company Smarsh acquired TeleMessage.
March 2025
- Former National Security Adviser Mike Waltz accidentally added The Atlantic’s editor-in-chief to a Signal group chat discussing U.S. military operations in Yemen.
- WSJ and Axios reported that officials, including Waltz and Defense Secretary Pete Hegseth, were using Signal to coordinate discussions involving Russia and Ukraine.
May 1, 2025
- Reuters published photographs confirming Waltz was using “TM SGNL” at a cabinet meeting. It is not known whether White House officials began using TM SGNL after the initial Signal group chat, or before.
- Waltz was fired and quickly nominated to become U.S. Ambassador to the UN. Marco Rubio was named interim National Security Adviser.
May 4, 2025
- 404 Media reported that a hacker breached TeleMessage’s backend in under 20 minutes, accessing usernames, passwords, internal credentials, and message data from modified versions of Signal, Telegram, and WhatsApp.
May 5, 2025
- News sources reveal TeleMessage’s efforts to rebrand as “Capture Mobile.”
- Additional reporting tied the company to Israeli military intelligence units, NSO Group, and Cellebrite.
- TeleMessage’s website was changed to a simple landing page that is non-functional.
- It was reported that Smarsh, the parent company, notified users, “it is not possible to register new users. Users that were logged out for their Apps will not be able to login again.”
May 6, 2025
- One of the key journalists from the initial 404 media coverage of the hack, Micah Lee, published a detailed investigation revealing that TeleMessage can access plaintext chat logs despite marketing claims of end-to-end encryption.
May 8, 2025
- On May 8, the CVE Program published CVE-2025-47729, confirming what Micah Lee had previously revealed, that TeleMessage’s TM SGNL app stores plaintext messages despite end-to-end encryption claims. The flaw is listed in CISA’s Known Exploited Vulnerabilities catalog.
May 18, 2025
-
WIRED released an article by Micah Lee with updated technical details revealing how the TM SGNL breach occurred. The hacker exploited insecure client-side MD5 password hashing and a critical server misconfiguration that exposed internal memory to the public internet. They accessed an unprotected
/heapdumpURL and downloaded server memory containing usernames, passwords, and unencrypted message content, despite TeleMessage’s previous claims of using end-to-end encryption.\ -
Affected parties of the breach were noted to be U.S Customs and Border Protection (CBP) as well as Coinbase.
July 1, 2025
-
Cybersecurity and Infrastructure Security Agency (CISA) added two new TeleMessage SGNL flaws to its Known Exploited Vulnerabilities catalog:
- CVE-2025-48927 : Initialization of a Resource with an Insecure Default Vulnerabilit
- CVE-2025-48928 : Exposure of Core Dump File to an Unauthorized Control Sphere Vulnerability
October 2025
- As of October 2025, TeleMessage’s site consisted of a simple landing page with a Contact Us link and a Privacy Policy, but implied links like “Learn about,” were no longer clickable.
Related reading
See how Comma Compliance can securely capture WhatsApp and Signal without breaking encryption
Also available via our Substack newsletter.
This article is for informational purposes only and does not constitute legal or compliance advice.
