CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 15, 2026

French Government Messaging Platform Breached by Mysterious ‘Misere’ Hacker

Security Week Archived Jun 15, 2026 ✓ Full text saved

French officials say roughly 73,000 government accounts were affected, while the threat actor claims to have stolen messages and user data from the sovereign Tchap platform. The post French Government Messaging Platform Breached by Mysterious ‘Misere’ Hacker appeared first on SecurityWeek .

Full text archived locally
✦ AI Summary · Claude Sonnet


    More 70,000 French government employees had personal details stolen. Why and by whom? On June 8, 2026, DINUM announced that the official French government chat service (Tchap) had been breached on June 7. At the same time, a threat actor calling itself ‘misere’ claimed responsibility. DINUM is the French government’s interministerial digital directorate in charge of Tchap.  Tchap is a ‘secure’ sovereign instant messaging service for French government employees designed to combine the principle of data sovereignty with increased security over third-party foreign systems. It includes secure chat rooms that are end-to-end encrypted, and ‘public’ chat rooms that are not encrypted. Misere is… unknown. There is no public record of a threat actor known as ‘misere’. DINUM says the system was compromised following account hijacking, and states, “Of the more than 825,000 registered agents, 73,467 are reportedly affected by this incident, representing less than 9% of registered users.”  Misere supposedly claimed almost precisely the same: theft of more than 70k accounts (aligning with DINUM’s statement); but added that it stole 13.5GB of files across more than 643,000 messages. However, we cannot verify misere’s claim because it was reported rather than published by the OSINT FrenchBreaches community, and the original misere claim is not or no longer available on the internet. So, we’re left with a conundrum. An official announcement states the breach occurred (not was discovered but occurred) on June 7 and was limited to 9% of the users. Classic, but not inaccurate, downplaying. But almost immediately, an unknown threat actor agrees with the number of affected accounts but claims theft of 13.5GB of actual data. We cannot verify this latter detail since we only have reports of a report – but if we assume accuracy and honesty, is it realistic to believe that this amount of data can be gathered and exfiltrated in a single day by an otherwise unknown threat actor? For additional insights into the cause and effect, we talked to Ilia Kolochenko, a qualified attorney, and CEO, founder and chief architect at ImmuniWeb. ImmuniWeb operates a dark web monitoring and threat intelligence service for its clients and sees thousands of different incidents daily. Could misere be a pseudonym adopted by a state actor for this small and relatively innocuous breach – for example, Russia embarrassing France over its pro Ukraine position; or the US doing the same for its anti-Iran war position? Kolochenko doesn’t think so, “Because it’s a little trivial. This is too small for large power intelligence agencies to bother with.” Before 2024, he had seen state actors compromise systems and rapidly act on the compromise. “But since 2024,” he continued, “state actors tend to infiltrate and lay low. What is alarming now is a new trend with state actors breaching critical national infrastructure and its suppliers silently. They just backdoor everything to get control of a nation’s infrastructure. They just go deeper and deeper and deeper, trying to get access to as many critical systems as possible.” The motivation is to pre-position with the ability to bring down multiple if not all the critical industries in an enemy nation simultaneously. This is cyberwar in preparation for or defense against a possible kinetic war. Nor does he think that the suggestion that the breach was an account take-over event is informative. It could be as simple as a hacker getting the credentials from stealer logs; but if it were an advanced hacker, that would not be necessary. “In today’s cloud and AI world, you don’t need to steal cookies with infostealers. You don’t need zero days. You just send a legitimate request to an API, and you’ll get all the records of a governmental institution or a private company, and everything will be on your hard drive within several hours.” Such an hypothesis could explain how misere could exfiltrate 3.5GB on the same day as the breach was discovered. Does the name misere give any clue to the actor or motivation? Again, no. “The name given to this actor is meaningless,” suggested Kolochenko. “Sometimes a hacker or group wants to protect a reputation for doing more meaningful hacks and adopts a ‘burner’ identity. Sometimes one group will impersonate another group that might be considered a rival or affiliated with a different adversarial nation.” The fact that the name is unknown does not mean that the actor is unknown. Overall, this attack by an unknown hacker against a secure government chat system does not present itself as an APT attack. But that could even be the purpose. After all, it involves 70,000 government employees. DINUM specifies in its breach disclosure announcement, “The potentially exposed user account data includes, at a minimum: first and last name, email address, affiliated entity, and avatar.” The affiliated entity would expose which government department is involved, the email address is provided, and Misere further claimed to have scraped 640,000 (plaintext) chat messages. This combination would be a treasure trove for subsequent targeted spear-phishing, valuable to both financially motivated cyber gangs and state actors ultimately targeting not Tchap but the ministries employing the Tchap users. But – and this is the point of this discussion – we just don’t know the truth: everything is conjecture. Frankly, trying to understand the cause and motivation behind any cyber incident is based on conjecture with little known truth. Related: Maine Disables Data Breach Portal Due to Fake Submissions Related: University of Nottingham Confirms Breach After Hackers Leak Data Related: 174,000 Impacted by Lansing Community College Data Breach Related: Nightclub Giant RCI Says Data Breach Affects 40,000 Individuals WRITTEN BY Kevin Townsend Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines. More from Kevin Townsend Alert Fatigue Is Becoming a Security Threat of Its Own OnyxC2 Stealer Offers Cybercriminals Enterprise-Grade Theft for $250 a Month Infostealers Turn Millions of Devices Into Credential Theft Machines New Platform Uses Cryptographic Invisibility to Protect AI-Built Applications Will AI Kill the Bug Bounty Industry? OWASP Incubator Project Helps Developers Find and Fix Vulnerable Dependencies in Seconds Offroad Emerges From Stealth With $7 Million to Tackle Enterprise Identity Risk Security of 100 AI Agents Tested and Ranked – What You Need to Know Latest News Ukrainian Man Pleads Guilty in US to Conti Ransomware Charges Ozempic Maker Novo Nordisk Says Hackers Breached IT Systems ShinyHunters Claims Council of Europe Hack FBI, Google Dismantle ‘Outsider Enterprise’ Phishing Service Maine Disables Data Breach Portal Due to Fake Submissions  NPM 12 Will Change Script Execution Behavior to Prevent Supply Chain Attacks Anthropic Says It Has Taken Its Latest AI Models Offline to Comply With New Export Controls In Other News: Google Security Layoffs, AudiA6 Takedown, $400 Million Coupang Fine Trending Webinar: How Modern Breaches Bypass MFA And Evade Detection June 17, 2026 Today’s attackers are no longer breaking in — they’re logging in. Join this live webinar as we break down the modern identity attack chain and examine how recent breaches exploited weaknesses in authentication, identity verification, and access management processes. Register Webinar: Modern Exposure Validation In The AI Era June 24, 2026 AI has accelerated both sides of the fight. Adversaries are weaponizing vulnerabilities faster, while defenders are racing to ship detections and configurations. Join this live webinar as we explore how to prove your controls actually hold against new threats, map your security maturity, and unite breach simulation with automated pentesting into a single, coordinated program. Register People on the Move Stephen Garcia has been named Chief Information Security Officer at BreachRx. Kasper Lindgaard has been appointed Vice President of Security Strategy at CoreView. Chaim Mazal has been named Chief Information Security Officer at GitLab. More People On The Move Expert Insights After AI Reaches Production: 12 Ways Security Teams Can Take Control Security teams need more than visibility into AI applications, they need a repeatable framework for monitoring, investigating, and defending them in production. (Joshua Goldfarb) Everybody Is Vibe Coding But Nobody Told The Security Team AI-driven development is not something organizations can or should block. But it must be governed. (Danelle Au) The Zero-Knowledge Threat Actor And The End Of Responsible Disclosure AI can help attackers generate malware, create malicious payloads, bypass simple security checks, and convert vague malicious intent into functional code. (Etay Maor) Raising The Cybersecurity Stakes: Ante Up For The Agentic Era CISOs are now facing machine-speed attacks and asking, “How do I agent?” The industry must provide remediation at scale. (Nadir Izrael) Caught Off Guard: Securing AI After It Hits Production As enterprises rush AI projects into production, security teams are increasingly being forced into reactive mode. (Joshua Goldfarb) Flipboard Reddit Whatsapp Email
    💬 Team Notes
    Article Info
    Source
    Security Week
    Category
    ◇ Industry News & Leadership
    Published
    Jun 15, 2026
    Archived
    Jun 15, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗