France's Secure Government Messaging App Was Hacked—But Not How You Might Think

France's government has a private messaging service called Tchap, built to keep official communications secure and away from US tech companies. On 9 June 2026, officials confirmed that someone broke in and stole about 643,000 messages using a method that caught security experts' attention: the hacker didn't crack the encryption. Instead, they logged in as a real employee and grabbed the messages from there.

The French government's digital agency, DINUM, confirmed the breach. A threat actor using the name 'misere' claimed responsibility after posting some of the stolen data online, according to BleepingComputer.

How the Hack Worked

Tchap runs on an open-source messaging platform called Matrix. The attacker got access by compromising a legitimate user's account — possibly through phishing, password reuse, or similar attacks that are common today. Once logged in, they were able to pull out a huge number of messages directly from the system.

This is different from what many people imagine happens in a hack. Tchap's encryption itself — the scrambling technology that locks messages — stayed intact. The problem was not that the hacker broke the encryption. The problem was that once they had a valid login, the system let them take whatever they wanted.

Think of it like a bank vault. The vault door has a great lock, but if someone steals a teller's ID badge and walks in during business hours, they can just grab money from the counter without ever touching the vault.

What the Security Problem Really Was

The breach points to an architectural weakness, not a weakness in the encryption code itself. This distinction matters because it tells us how to fix the problem.

Tchap is built to let authorized users access rooms full of messages — similar to group chats. Once the hacker had a legitimate login, the system's design allowed them to retrieve many messages at once without throwing up warning flags. The encryption protected the messages in transit, but nothing stopped an authenticated insider (or in this case, someone pretending to be one) from downloading them in bulk.

This is a known problem in shared messaging systems. Any platform where one person can access many messages faces this risk if it doesn't have enough safeguards. Those safeguards would include things like limiting how fast someone can download messages, noticing when an account suddenly starts acting strangely, and requiring extra verification for sensitive actions.

The question left unanswered so far is whether Tchap had these safeguards in place. If it did, they weren't strong enough. If it didn't, that was a significant oversight for a system meant to handle sensitive government communications.

Who Did It and Why

The person or group calling themselves 'misere' has not been publicly linked to any government, criminal organization, or known hacking group so far. They claimed responsibility by posting some of the stolen messages online. We don't know yet whether this was a state-sponsored spy operation, an act of protest, or someone trying to extort money. The French government has not publicly explained the motive.

The Deeper Lesson: Sovereignty Has a Cost

France and other European countries built their own messaging and cloud systems partly to stop relying on American tech companies and to keep data under their own control. This was a deliberate choice after concerns about government surveillance and data privacy.

But self-hosted systems come with a hidden cost: the government organization running them has to do all the security work itself. Commercial tech companies employ large teams of security specialists whose only job is to stop hackers. A government agency running its own messaging system has to build and maintain that same level of expertise in-house — and in practice, that is often harder than it sounds.

Tchap's encryption technology is solid. The underlying Matrix platform has been reviewed by security experts. What failed here was the operational side — the day-to-day security practices and system design that should catch an account being used in unusual ways. That is a fixable problem, but it is a reminder that encryption alone is not enough.

What's Next

For other governments running similar systems, this breach is a signal to tighten up session security. That means things like requiring extra authentication steps, logging users out faster, watching for unusual activity, and using special hardware devices to prove identity. All of these are standard practice at large tech companies but sometimes missing from government systems.

The broader point is this: when you choose to run your own secure system instead of relying on a big tech company, you get control, but you also get responsibility. That responsibility includes investing as much in everyday security practices as in the underlying encryption. Tchap's goal — keeping government communications private and under French control — remains worthwhile. This breach just shows where more work needs to happen.