Surveillance

The Tchap Breach: France Forced Its Workers Onto a 'Secure' Messenger — Then 560,000 Messages Leaked

France ordered its civil servants onto Tchap because it was 'sovereign and secure.' Then a single hijacked account walked off with 560,000 messages.

Ryan Callicoat 4 min read min read
A shattered digital padlock breaking into fragments of code, symbolizing the Tchap encrypted messenger breach

The French government had a simple promise for the hundreds of thousands of civil servants it ordered off WhatsApp and Signal: Tchap is sovereign, Tchap is encrypted, Tchap is safe. In June 2026, that promise came apart in the space of a single hijacked login.

According to a disclosure from DINUM — the French government’s own digital affairs directorate — an attacker walked off with roughly 13.5 gigabytes of data from Tchap: an estimated 560,000 messages and information on more than 73,000 accounts, including staff at the French tax authority. And here is the part the official statements quietly step around: nobody broke the encryption. They didn’t need to. They simply logged in as someone who was already trusted.

What is Tchap — and why were people forced onto it?

Tchap is France’s home-grown, Matrix-based encrypted messaging platform, built specifically so that government employees would stop using foreign apps like WhatsApp and Signal. As of August 2025 it was effectively mandated for civil servants — sold as the “sovereign” choice, the one that kept sensitive French government conversations on French-controlled infrastructure, safely encrypted, away from prying foreign eyes.

That is the story citizens and staff were told. The breach is the footnote.

How one account unraveled a “secure” system

A shadowy hooded figure at a keyboard surrounded by streams of data, representing the social-engineering attack on Tchap
The Tchap breach didn’t start with a cracked cipher — it started with a trusted account that should never have been trusted.

This was not a Hollywood-style cryptography heist. By the available accounts, the intrusion began with social engineering — someone was manipulated into handing over access to a legitimate account. Once the attacker controlled that single trusted login, they could quietly scrape every channel and conversation that account was allowed to see.

The reported haul went well beyond message text: email addresses, organization details, meeting links, and account and device metadata. In other words, not just what people said, but the map of who they are, where they work, and how they connect — the exact blueprint you would want before a second, more targeted attack.

“End-to-end encrypted” is not the same as “safe”

Here is the sleight of hand baked into every “military-grade encryption” marketing line. Encryption protects a message in transit — while it travels between devices. It does nothing once an authorized account is sitting inside the room reading along. To the system, the hijacked account wasn’t an intruder. It was a colleague.

That is why “but it’s encrypted” is such a comforting and such a hollow reassurance. The lock on the front door is irrelevant if you hand a copy of the key to anyone who asks nicely enough.

The pattern they’d rather you didn’t notice

A giant digital surveillance eye over a government building, leaking documents and data
Force everyone into one “safe” place and you don’t remove the target — you build it.

Step back and the real lesson isn’t about France, or about one careless click. It’s about a habit governments and corporations keep repeating: when you herd everyone onto a single official, centralized platform “for their protection,” you don’t eliminate the risk — you concentrate it.

A mandated, centralized messenger isn’t a fortress. It’s a honeypot. Every sensitive conversation in the entire civil service, pooled in one place, behind one authentication system, waiting for one trusted account to be compromised. We were told centralization meant safety. The breach is what centralization actually buys: a single point of failure with 73,000 doors and only one of them needs to be propped open.

What this actually means for you

You are not a French tax official, but the same logic is being sold to you every day — by your employer, your bank, your government, and every app that insists its walled garden is for your own good.

  • Centralized “secure” equals centralized risk. The bigger the pool, the bigger the prize.
  • Ask who can read the room, not just who can intercept the wire. Encryption in transit is the easy half of the promise; access control is the half that fails.
  • “Mandatory for your safety” deserves the most scrutiny, not the least. The moment you’re told you have no choice but to trust one system, that system becomes the most valuable target on the board.

The French government told its workers Tchap would keep them safe. 560,000 messages later, the truth is the same as it always is: the people who tell you what’s “secure” are rarely the ones holding the consequences when it isn’t.

Sources

Disclosure of the breach was attributed to DINUM, the French government’s digital affairs directorate. Figures (13.5GB, ~560,000 messages, 73,000+ accounts) are as reported as of mid-June 2026 and may be revised as the investigation continues.