"We are currently clean on OPSEC": The Signalgate Saga

Presented at DEF CON 33 (2025), Aug. 9, 2025, 4 p.m. (45 minutes).

In March, former national security advisor Mike Waltz accidentally invited a journalist into his war crimes Signal group with other senior Trump officials. “We are currently clean on OPSEC,” secretary of defense Pete Hegseth posted to the group. In May, Waltz was photographed clandestinely checking his Signal messages under the table during a cabinet meeting. Only it turns out, Waltz was actually using a knock-off of Signal called TM SGNL. Immediately after that, TeleMessage (the company that makes TM SNGL) was hacked, and the hacker was able to access plaintext Signal messages. It was then hacked again, and the second hacker exfiltrated hundreds of gigabytes of data before TeleMessage took its service offline. This talk is about the entire TeleMessage saga: the history of the company, which was founded by a former Israeli spook; its customers – Trump officials, US Customs and Border Protection, crypto firms, etc.; how TeleMessage archives Signal, WhatsApp, Telegram, WeChat, and SMS messages; an analysis of the TM SGNL source code that proves the company lied about supporting end-to-end encryption; the trivial exploit that was used to extract data from TeleMessage’s archive server; and how I analyzed hundreds of gigabytes of memory dumps full of chat logs from TeleMessage customers. References: - My initial analysis, from May 2: [link](https://micahflee.com/tm-sgnl-the-obscure-unofficial-signal-app-mike-waltz-uses-to-text-with-trump-officials/) - The source code I published, from May 3: [link](https://micahflee.com/heres-the-source-code-for-the-unofficial-signal-app-used-by-trump-officials/) - Article I cowrote in 404 Media about the hack, from May 4: [link](https://www.404media.co/the-signal-clone-the-trump-admin-uses-was-hacked/) -- it’s paywalled, you can see the whole thing at [link](https://web.archive.org/web/20250504221243/https://www.404media.co/the-signal-clone-the-trump-admin-uses-was-hacked/) - My analysis of the source code that proves TeleMessage lied about E2EE, from May 6: [link](https://micahflee.com/despite-misleading-marketing-israeli-company-telemessage-used-by-trump-officials-can-access-plaintext-chat-logs/) - Senator Ron Wyden’s letter that references my research: [link](https://www.wyden.senate.gov/imo/media/doc/doj_letter_telemessage.pdf)

Presenters:

• Micah "micahflee" Lee
  Micah is a member of the Lockdown Systems collective. He's a coder, a security researcher, and an independent journalist. He develops open source privacy and security tools, and he's done a lot of work related to journalism and whistleblowing. He’s the former director of infosec for The Intercept. He wrote a book that teaches people how to analyze hacked and leaked datasets, Hacks, Leaks, and Revelations. He really doesn’t like the technofascist future we’ve all been forced into.

Similar Presentations:

• May Contain Hackers (MCH2022) / Signal: you were the chosen one!
• DEF CON 33 (2025) / Edge of Tomorrow: Foiling Large Supply Chain Attacks By Taking 5k Abandoned S3 Buckets from Malware and Benign Software
• TROOPERS17 (2017) / Hunting For Vulnerabilities in Signal