France Built Its Own Messaging App to Replace Signal. Then Hackers Stole 643,000 Government Messages.
France banned Signal for government use and built Tchap. A hacker stole 73K accounts, 643K messages, and 59K media files from French ministry conversations.

In 2025, the French government banned the use of foreign messaging apps like Signal and WhatsApp for official communications. The replacement was Tchap, a messaging and collaboration platform built by DINUM, the French digital affairs directorate, and ANSSI, France's cybersecurity agency. The logic was straightforward: sovereign technology for sovereign communications.
In June 2026, a threat actor going by the username "misere" breached Tchap and claimed to have stolen 13.5 gigabytes of data. The stolen dataset reportedly includes 73,467 user accounts from French government ministries, 643,459 messages, 876 chat rooms with full message history, and 59,386 shared media files.
The irony is sharp. France replaced a messaging platform built by one of the world's most respected cryptography teams (Signal) with a government-built alternative, and the government alternative was breached. The sovereign technology argument assumed that building your own platform provides better security than using a proven one. The Tchap breach suggests the opposite may be true.
The Sovereign Security Paradox
The decision to build Tchap was driven by legitimate concerns about digital sovereignty: French government communications should not flow through servers controlled by American technology companies. The concern about data residency, metadata exposure, and foreign intelligence access is reasonable.
But sovereignty and security are not the same thing. Signal has been subjected to years of adversarial security research by the global cryptography community. Its protocol has been formally verified. Its codebase is open-source and continuously audited. Building a replacement that matches Signal's security posture requires not just engineering talent but sustained adversarial testing at a scale that most government projects cannot achieve.
When building the CIAM platform that scaled to serve over a billion users, we learned that authentication and security infrastructure benefits from broad deployment and adversarial testing. The more users and attackers interact with a system, the more vulnerabilities are discovered and fixed. A government-only platform with a limited user base and a limited security research community has a smaller attack surface in theory but fewer eyes finding bugs in practice.
The Tchap breach exposed the exact type of data that the platform was designed to protect: inter-ministerial communications, policy discussions, operational coordination, and the professional networks of French government officials. The 73,467 compromised accounts span multiple ministries, meaning the breach provides a detailed map of who communicates with whom across the French government.
Lessons for Government Technology
Sovereign does not mean secure. Building your own platform controls data residency but does not guarantee better security than established alternatives. If the goal is protecting communications, the security of the cryptographic implementation and the platform's resilience to attack matter more than where the servers are located.
Centralized government platforms create high-value targets. When all government communications flow through a single platform, breaching that platform exposes everything. A federated approach with end-to-end encryption, where messages are encrypted before reaching any server, limits the blast radius of a server-side compromise.
Ban decisions should be accompanied by security investments. If a government replaces a proven platform with a custom alternative, the security investment in the replacement must match or exceed what was replaced. Otherwise, the ban achieves sovereignty at the cost of security.
The Tchap breach should inform every government considering similar sovereign technology mandates. The question is not whether to control your communications infrastructure. It is whether you can build and maintain something more secure than what already exists. For most governments, the answer is no.
Key Takeaways
- France's government-built Tchap messaging app, designed to replace Signal and WhatsApp for official use, was breached in June 2026
- 73,467 government user accounts, 643,459 messages, 876 chat rooms, and 59,386 media files were reportedly stolen
- The breach exposes inter-ministerial communications and reveals professional network maps across French government agencies
- Sovereign technology controls data residency but does not guarantee superior security over established, battle-tested alternatives
- Centralizing all government communications in a single platform creates a catastrophic single point of failure
Deepak Gupta is the co-founder and CEO of GrackerAI. He previously founded a CIAM platform that scaled to serve over 1B+ users globally. He writes about AI, cybersecurity, and digital identity at guptadeepak.com.
Get the newsletter
New writing on identity, AI security, and building software, delivered when it ships. No tracking pixels, no funnels, unsubscribe with one click.