France's official messaging service Tchap suffers from an account breach.

      France developed its own encrypted messaging application so that government officials would not need to rely on WhatsApp or Telegram. However, this messenger has now been compromised, and the government and the hacker are unable to come to an agreement on the extent of the breach.

      On June 7, France’s National Cybersecurity Agency (ANSSI) discovered a security breach in Tchap, and the Digital Affairs Directorate (DINUM), which operates the platform, issued an incident report and took steps to block the involved account. Importantly, this incident did not involve a breach of the encryption or the underlying infrastructure.

      Officials state that the intruder gained access by taking over a legitimate user account, indicating a compromise of credentials rather than an infiltration of the system itself. The government’s description of the damage is limited. Tchap, which operates on the open Matrix protocol, supports both public and private conversations, with the private ones being end-to-end encrypted. DINUM asserts that even if an account is impersonated, the history of those private encrypted conversations remains inaccessible, and only the unencrypted public chat rooms, which any authenticated user can access, might have been viewed.

      Investigators are still reviewing the logs to determine exactly which conversations were accessed and whether any data was extracted. DINUM has informed the data protection regulator CNIL, as personal information may have been revealed in the content that the attacker could access, and has reminded users that public rooms are unsuitable for sensitive information.

      The attacker presents a much broader narrative. Using the alias ‘Misère’, the hacker claims to have accessed data related to approximately 73,000 state agents, 643,000 messages, nearly 60,000 files totaling around 13.5 gigabytes, hundreds of chat rooms, and about 90 references to ‘Diffusion Restreinte’, a designation for restricted distribution in France, covering the period from June 2023 to June 2026.

      The hacker alleges that access was obtained through social engineering targeting an account in Tchap’s educational environment, and that a directory-search function allowed for user enumeration throughout the service.

      The figures shared by dark web intelligence sources and repeated by French security media have not been confirmed by ANSSI or DINUM, who do not address issues like restricted documents or directory exposure in their statements. Several French cybersecurity analysts have pointedly excluded these numbers from their breach reports due to the lack of independent verification, meaning they remain claims made by the attacker rather than established facts.

      There is a technical complexity that adds to the government's attempts to reassure the public. End-to-end encryption secures messages during transmission and storage, meaning the server cannot provide old private chats. However, security experts highlight that fully taking control of a logged-in client is distinct: an attacker impersonating the user can potentially see anything the account can access, including private rooms. While encryption remains intact, the impersonation creates a vulnerability.

      This situation is particularly painful given what Tchap symbolizes. DINUM and ANSSI designed it as a state-controlled, French-hosted alternative to WhatsApp, Telegram, and Slack, launched in 2019 to ensure that government communications do not reside on foreign-owned platforms. Since 2025, Tchap has been deployed across various ministries to hundreds of thousands of public officials, aligning with a broader French initiative for technological independence that has seen Paris move ministries from Windows to Linux, while Europe addresses its dependence on foreign technology as a political liability.

      The discrepancy between ‘a few public rooms’ and ‘73,000 accounts and references to restricted documents’ will be clarified through log analysis, rather than through official communications. For a service that promotes itself as a reliable means for secure governmental communications, even a contained breach represents a significant setback. A bold but unverified claim by the hacker adds to the narrative that skeptics of sovereignty, as well as France’s competitors, will be eager to amplify.