France's Tchap Breach Exposed 73,000 Civil Servants

On June 7, 2026, a threat actor using the alias "misere" compromised Tchap — France's state-built sovereign messaging platform — by socially engineering a civil servant's account at the education ministry. Five days later, DINUM and ANSSI confirmed that data on 73,467 government employees had been exfiltrated, along with nearly 650,000 messages from public chat rooms. The platform was designed to replace WhatsApp and Signal for government use. The attack happened less than a year after its use became mandatory.

Key Takeaways

• On June 7, 2026, threat actor "misere" used a hijacked education ministry account to breach Tchap, France's government-mandated sovereign messaging platform.
• The attacker exfiltrated names, email addresses, organization affiliations, and device metadata for 73,467 of Tchap's 825,000 registered civil servant accounts — roughly 9% of the user base.
• Approximately 643,459 messages from public, unencrypted chat rooms were scraped, along with 59,386 shared media files totaling 13.5GB.
• Hardcoded LDAP credentials were discovered exposed in a PowerShell script within the exfiltrated data, potentially opening further attack paths.
• Private, end-to-end encrypted conversations were not accessed; DINUM confirmed the compromised account was blocked and notified France's data protection authority CNIL.

What Is Tchap and Why Did France Build It?

Tchap is a Matrix/Synapse-based decentralized instant messaging application developed jointly by DINUM (the Interministerial Directorate for Digital Affairs) and ANSSI (France's national cybersecurity agency). The project began in 2018 and was built as a sovereign alternative to commercial messaging platforms — specifically WhatsApp and Signal — whose servers and companies sit outside French jurisdiction.

The legal motivation was explicit: commercial platforms operating under US law can be compelled to disclose data to American authorities under frameworks like the CLOUD Act. A domestically hosted, government-developed application running on French infrastructure, the argument went, would not be subject to those foreign legal pressures.

In August 2025, Prime Minister François Bayrou made Tchap mandatory for all civil servants conducting official work communications, simultaneously banning the use of WhatsApp and Signal for government business. By June 2026, the platform had 825,000 registered accounts and more than 300,000 monthly active users, with over 500,000 downloads on the Google Play Store alone.

How Did the Attacker Get In?

The entry point was the education ministry's federated shard: matrix.agent.education.tchap.gouv.fr. The attacker used social engineering to compromise a civil servant's account on that shard. Because Tchap is built on the Matrix protocol — which by design federates data across shards and allows authenticated users to query a shared user directory — gaining access through one ministry's shard also exposed account enumeration across all other ministries.

This architectural detail matters. Matrix federation is a feature, not a flaw: it enables interoperability across decentralized deployments. But it also means that a single compromised account on one shard can be leveraged to scrape metadata from the entire network. The attacker did exactly that, using API calls or direct Matrix protocol queries to enumerate accounts and pull data from public rooms.

The attacker also discovered hardcoded LDAP credentials in a PowerShell script within the exfiltrated data. LDAP (Lightweight Directory Access Protocol) is the standard system used by large organizations to manage directory services — usernames, passwords, organizational structure. Exposed LDAP credentials represent a serious secondary risk that goes beyond the initial breach scope, potentially enabling deeper access into internal infrastructure.

What Data Was Actually Stolen?

The breach produced 13.5GB of material. According to "misere's" claims on a dark web forum — claims that DINUM and ANSSI have not fully confirmed or denied — the exfiltrated dataset includes:

• Names, email addresses, organizational affiliations, and device metadata for 73,467 civil servants
• Approximately 643,459 to 650,000 messages from public, unencrypted chat rooms
• 59,386 shared media files
• References to approximately 90 items marked "Diffusion Restreinte" — France's restricted-distribution classification — spanning June 2023 to June 2026

DINUM confirmed that public chat rooms on Tchap are not encrypted by design, meaning anyone authenticated on the platform can read them. Private conversations, which use end-to-end encryption, were not accessed. The compromised account has been blocked and handed to ANSSI for forensic analysis. DINUM formally notified CNIL, France's data protection supervisory authority.

Why Does This Matter for Journalists and Activists?

The Tchap breach carries particular weight for journalists, civil society organizations, and activists operating in France — precisely because they were among the groups most explicitly encouraged to trust the platform.

The political argument for Tchap was not just about government efficiency. It was also a privacy argument: a state-controlled tool on domestic infrastructure would protect sensitive communications from foreign surveillance. French journalists covering sensitive topics were pointed toward Tchap as a legally safer alternative to US-based platforms. Activists working with civil servant contacts were told the same.

This breach exposes the gap in that reasoning. The threat vector that succeeded here — social engineering a single human account holder — works identically against sovereign infrastructure and commercial infrastructure. The jurisdiction of the servers was irrelevant. What mattered was that one person was manipulated into surrendering access.

The data now in "misere's" hands has meaningful intelligence value even without private message content. Knowing which civil servant works at which ministry, which public chat rooms they participate in, and what their device metadata looks like allows an adversary to map organizational structure, identify targets for further social engineering, and correlate public activity with organizational roles. That is precisely the metadata exposure that journalists are trained to minimize. For context on what email and communications metadata can reveal, see what your email metadata reveals about you.

Does "Sovereign" Infrastructure Mean "Secure" Infrastructure?

The honest answer, based on this incident, is: not necessarily. Sovereignty addresses a specific threat model — foreign legal compulsion. It does not inherently address the threat model that succeeded here: social engineering a human.

Tchap's Matrix/Synapse architecture is technically sound. End-to-end encryption for private conversations worked as designed. The breach did not involve cryptographic failure, server-side exploits, or a zero-day vulnerability. It involved a person being deceived. That is a threat model that no amount of domestic hosting solves.

For compliance officers managing data governance under GDPR, the CNIL notification is the legally required response. But the breach also surfaces a harder question: does an internal mandate to use a specific platform create concentrated risk? If 825,000 civil servants are required to use a single messaging system, and that system is compromised, the blast radius covers the entire French public sector. Diversification of communications channels — even at some cost to administrative convenience — is a risk consideration worth revisiting in the post-incident review.

ANSSI's investigation is ongoing. The full scope of what "misere" accessed, and whether the hardcoded LDAP credentials enabled any secondary access, has not yet been confirmed. Journalists covering French government sources should assume that the metadata of their contacts — organizational affiliation, ministry, participation in public rooms — may now be in criminal hands.

Source: BleepingComputer: French govt says Tchap breach affected over 73,000 accounts; Help Net Security: French government messaging platform breached.