TeleMessage Explorer: a new open source research tool
micahflee.comSee also: TeleMessage customers include DC Police, Andreessen Horowitz, JP Morgan, and hundreds more: https://micahflee.com/telemessage-customers-include-dc-polic...
See also: TeleMessage customers include DC Police, Andreessen Horowitz, JP Morgan, and hundreds more: https://micahflee.com/telemessage-customers-include-dc-polic...
https://shewantstheisrd.myshopify.com/products/clean-on-opse... I found the sticker
That one is pure gold.
The TeleMessage dataset is massive and messy, and this tool lowers the barrier for journalists and researchers to extract meaningful insights. It’s also a reminder that “secure” enterprise tools often aren’t—especially when they’re built to satisfy compliance checkboxes rather than actual security principles. The fact that TM Signal was used by senior officials makes the plaintext logging and key exposure even more alarming. Kudos to Micah for not just reporting the breach but also enabling others to dig deeper.
What seemed to be interesting from the email addresses disclosed is that there are a hell of a lot of people engaged in finance, investment or trading of one sort or another.
There are a few there with enough emails for it to be relatively widespread within the institution: Scotiabank, JPMorgan, KKR and Jeffries stand out -- Scotiabank has hundreds of emails, I imagine they're having a bad week. Also a lot of energy stuff, Aramco, Total.
I don't think a banks email being there indicates they use the service, more likely a customer of theirs uses TeleMessage and as a result the comms between that bank customer and the bank are in the breach
Do you understand how emails come into this? I thought signal used only phone numbers...
Since TeleMessage is not really signal but just a front the israelis want your email to signup (its mostly an enterprise service, so you either pay and they know who you are already) etc
this is like slack for signal
I don’t understand the value proposition of TeleMessage. Uses Signal but defeats the point of using Signal. Why not use a proper centralized chat with actual retention and encryption?
If you need your partners/bankers/salespeople/cabinet-level officials etc. to be able to converse with their clients on the E2E encrypted systems those clients already use, like WhatsApp and Signal, but maintain retention for legal or internal data-mining reasons, the only way to do that is to have a modified client, perhaps cracked or forked from an official client, that speaks the same wire protocol, but copies messages to separate storage.
Now, such a system could be set up to route those copied messages in a separately E2E-encrypted way to the client's in-house/on-prem archival systems, and have the client be responsible for implementing decryption and secure storage at rest. But it's far easier to just sell a centralized cloud-based archival/retrieval system - which must necessarily be able to decrypt messages, and thus makes for an incredibly juicy target.
Given the supply-chain risks of the provider offering the customized clients anyways, one would expect them to have a strong security focus... but it certainly seems this was not the case.
> the only way to do that is to have a modified client
My firm requires screenshots. If the concern is that someone would bypass that, well, someone could bypass TeleMessage, too.
One has to wonder what type of legal requirement this satisfies.
It certainly wouldn’t hold up to the “beyond a reasonable doubt” standard for US criminal prosecution.
I’ve been exposed to “lit holds” for various document management system before and usually a third party such as Box or Microsoft can attest to the immutability of files placed under lit hold, and/or there is an audit trail to make sure the chain of custody is intact.
Why not try a new Document Management system - comes witH AI oCr and Extraction module. Name - DocuSensa AI
> what type of legal requirement this satisfies
Typically between commercially reasonable and best efforts.
> been exposed to “lit holds” for various document management system before
I think these are held to a higher standard than run-of-the-mill securities compliance.
I wonder if it is just organizations that don't really care about anything other than brand name (signal is known as pretty good, right) and CYA.
Like it might legitimately be the case that you personally have expended more brainpower trying to understand the decision than they put into making it.
This is probably it.
Or there might be an issue with trusting their own IT departments. With Signal they don't even have to trust Signal (haha, but they might think that you know).
There's another possibility: NSA told them to use Signal w/ TeleMessage so that NSA could see everything because they have an agreement with TeleMessage or because NSA knows about all these vulns in TeleMessage.
There's other possibilities too.
You might be subject to compliance requirements for archival but also want to talk to other people who use signal.
For example DC Police may have confidential informants who would be best to use Signal because that isn't unusual. But the people there are communicating need to retain the communication.
So basically, you tell at-risk people they're E2E, but keep a copy on whatever storage system you want to use and send another to your friends.
This is the fundamental problem that end-to-end encryption doesn’t solve, right? If the person on the other end is malicious or really dumb they can still leak your messages.
E2EE’s biggest use case is preventing the government from reading your messages. If you are messaging the government (or are in the government) then this isn’t relevant.
This has always been possible with screenshots. SGNL is just an enterprise solution.
At the end of they day you need to trust who you are talking to and never over share.
E2E means that the messaging provider can't read the messages. The receiver can still see the messages and do whatever they want with them.
Most people don’t care about anonymous communication. The agendas of those who do vary.
Signal is essentially iMessage that works in Android for all intents. Supporting it lets you communicate with outside entities. Otherwise the only mechanism to do so is email, which is problematic at best.
Government and finance are required by law to archive and audit communications. Some companies do anyway to keep tabs on staff.
> Why not use a proper centralized chat with actual retention and encryption?
This is the right question to ask. It might be that such a thing doesn't quite exist in the way that the customers want (doubtful; Slack should work just fine), or more likely it might be a cultural issue (that Signal is ingrained in some of these executives' minds as _the_ secure system to use, and/or that they don't want Slack/Whatever to be the service provider for IM _and_ the service provider for retention, or that they don't want Slack/Whatever with on-prem services because they don't trust their own IT, etc.).
Obviously TeleMessage's value add is to add retention to Signal, which defeats the point of Signal. That leads me to think that the motivation is cultural.
Considering they accidentally included a journalist, compatibility with the existing user network. If you need logged chat with normal Signal users, TeleMessage would probably be the way to do this.
> I don’t understand the value proposition of TeleMessage. Uses Signal but defeats the point of using Signal.
I kind of feel the same way about Signal itself due to its reliance on phone numbers.
Only one person in the groupchat needs to be using Telemessage, ie. a CIA agent can use a government device with Telemessage to talk to sources on Signal. Signal has a great protocol & robust clients, and getting caught with Signal on your phone is probably a bit better than being caught with CIAChat on your phone.
The actual implementation here is atrocious though.
I'm hoping that this will be yet another shot in the war to convice corporations and government agencies that they need to have on-prem data hosting that isn't accessible to the company running the service. I don't think you can do full E2E between individual employees in a corporate setting, but at the very least if all of the organization's data is only accessible to the organization, that'll help with a lot of these third-party data beaches.
(it won't help when the organization is beached, which unfortunately still seems to be the main way that user data gets leaked)
Ultimately, though, until there starts to be federal law mandating chain of custody for user data and harsh penalties on it being leaked, I think that this will continue for a long time...
Update: I should have read the article - did not realize TeleMessage was supposed to be E2E. I guess now the lesson is that you shouldn't be using normal devices for national security information (classified or not), and otherwise it's still not good to use a sketchy service that doesn't have Moxie-grade crypto implementations.
If a company knows something about you, so does the government(s).
This is exactly the state of affairs the government prefers.
Privacy and consumer protection long died on the altar of turnkey totalitarian universal monitoring.
By having corps do the creepiest data collection, whatever all political opposition to the complete surveillance state is bypassed
Just so long as every once in a while, they convince some junior senator to hold a hearing to throw some executive at them that will use it as a way of earning clout within the company and no one cares about the outcome. The junior senator will lament about their political opponents, the committee will pat itself on the back for doing their job, the corporate crony will report back to the board that they delivered the talking points, and it will go right back to business as usual.
To the extent that this is the case, or more importantly, can become the case, that is why the concept of data parsimony is important: https://martinfowler.com/bliki/Datensparsamkeit.html
https://news.ycombinator.com/item?id=23710925
This is a beautiful word for a useful concept, thank you!
> if a company knows something about you, so does the government(s)
The constant litigation between the government and private companies over records requests should put this hypothesis to bed.
The black box rooms in the telecom forms two decades ago beg to differ
What you are talking about is small fry law enforcement.
If you don't think the new has total access to the databases of the thousands of social network and advertising/data collection firms, I don't know what to tell you.
Maybe something totally encrypted, but even then there is hardware backdoors, and the NSA can simply pay an employee to legally let them in.
They only need to pay off or install a single employee to get total or near-total access. Consider this chart from 2013 showing when various tech companies were added to PRISM:
https://upload.wikimedia.org/wikipedia/commons/c/c7/Prism_sl...
A lot of the companies embattled in the "constant litigation" mentioned by the GP are featured in this very chart.
> lot of the companies embattled in the "constant litigation" mentioned by the GP are featured in this very chart
Yup. A great first step towards understanding these systems is to disaggregate the monoliths of these enterprises and the U.S. government into their power centres.
Do you believe the disaggregation of those monoliths helps to put the "hypothesis to bed"? It sure seems like you were listing "constant litigation" over "records request" as counterevidence of the claim that "if a company knows something about you, so does the government(s)".
If anyone in the U.S. government is extracting data from companies in a manner which is unlawful or should be (and they sure are), I see that as strong evidence of the hypothesis. Pointing out that local agencies may have to fight for their access in court doesn't change that it "is exactly the state of affairs the government prefers".
> sure seems like you were listing "constant litigation" over "records request" as counterevidence of the claim that "if a company knows something about you, so does the government(s)"
Yes. Just because the NSA can access some data doesn’t mean the entire federal government, including the NSA, has it.
> local agencies may have to fight for their access
The White House is fighting Harvard for student records. I don’t think people appreciate the degree to which information is siloed, intentionally and unintentionally, in the federal government. (It’s what led to DOGE likely committing multiple felonies.)
>I don’t think people appreciate the degree to which information is siloed, intentionally and unintentionally, in the federal government.
Thanks for that. Information can be completely siloed and the statements "If a company knows something about you, so does the government(s)" and "This is exactly the state of affairs the government prefers" still be correct.
Is your belief that the federal government has not actually purchased hordes of corporate surveillance data? Or is it that because there are examples of information being siloed or not available, that means it's okay or a non-issue that Americans' data that was once unlawfully collected is now still unlawfully collected but also collected by corporations and purchased wholesale by the federal government?
This is pretty significantly off-topic, but I'll respond anyway:
(a) That's one of the reasons why it's important to restrict corporate data collection in addition to state data collection; and
(b) In the vast majority of cases, the US government at least, has to obtain a warrant to collect data on US citizens, so those two sets are not the same
I agree with the idea that most governments around the world have far more access to corporate data than they should, but I wouldn't go as far as to say that they have complete access (with caveats - the US has more protections than most of the rest of the world, for instance, and China has far less).
>In the vast majority of cases, the US government at least, has to obtain a warrant to collect data on US citizens, so those two sets are not the same
If only that were true[0][1][2][3].
[0] (2022): https://fedscoop.com/dhs-buying-personal-data-from-govt-cont...
[1] (2023): https://www.congress.gov/118/meeting/house/116192/documents/...
[2] (2024): https://www.cnn.com/2024/01/26/tech/the-nsa-buys-americans-i...
[3] (2025): https://theintercept.com/2025/05/22/intel-agencies-buying-da...
Signal is licensed under GNU AGPLv3 - think there will be any action against the company for license violations? I suppose it's the least of their liabilities, but just wondering.
The signal protocol is public, using their servers is frowned upon but its not a source code license violation.
Does the importer validate heapdump JSON and flag malformed records before they reach PostgreSQL?
Heap dumps on the Internet. Java ecosystem has some criminal defaults.
It’s truly wild that something like this exists. It really speaks to the unfathomable levels of incompetence that this is what the Trump administration was using to plan military operations over.
And we all drop our jaws, wonder what is happening, and then wake up to a slurry of new stories.
From the other article which shared the email domains found in the heap. Sorry in advance for the poor formatting.
---
Source: `https://micahflee.com/telemessage-customers-include-dc-polic...`
### I. Industry Breakdown
*Financial Services (Dominant):* This is by far the most represented sector. It encompasses a wide array of sub-sectors:
* *Investment Banking & Brokerage:* A large number of domains belong to global and regional investment banks, interdealer brokers, and brokerage firms. * Examples: `jefferies.com`, `morganstanley.com`, `cantor.com`, `tpicap.com`, `bgcg.com`, `rjobrien.com`, `clarksons.com` (shipping finance/brokerage)
* *Asset & Investment Management:* Numerous firms managing diverse asset classes for institutional and private clients are present. * Examples: `kkr.com`, `aresmgmt.com`, `pimco.com`, `nuveen.com`, `franklintempleton.com`, `apg-am.com`
* *Banking (Commercial & Private):* Major multinational and regional banks are included, covering commercial, private, and retail banking. * Examples: `jpmorgan.com`, `bbva.com`, `cibc.com`, `scotiabank.com` (and its numerous regional variations), `bradescobank.com`, `safra.com`, `standardbank.co.za`, `dbank.co.il`
* *Wealth Management:* Firms specializing in wealth advisory for high-net-worth individuals are visible. * Examples: `gentrustwm.com`, `boltonglobal.com`, `rohrpwm.com`
* *Cryptocurrency & Digital Assets:* A significant and growing sub-sector, with exchanges, trading firms, and investment managers focusing on digital assets. * Examples: `coinbase.com`, `galaxydigital.io`, `b2c2.com`, `hiddenroad.com`, `aminagroup.com` (formerly SEBA), `panteracapital.com`
* *Fintech & Financial Technology:* Companies providing technology solutions for the financial industry, including trading platforms and compliance tools. * Examples: `smarsh.com`, `telemessage.com`, `interactivebrokers.com`
* *Venture Capital & Private Equity:* A strong showing of firms investing across various stages and sectors, from early-stage tech to large buyouts. * Examples: `a16z.com`, `sequoiacap.com` (implied), `vistaequitypartners.com`, `lcatterton.com`, `ardian.com`, `tigerglobal.com`, `tcv.com`, `bitkraft.vc`, `blockchaincapital.com`
*Energy & Commodities:* This sector is well-represented by:
* *Trading Houses:* Global and regional commodity traders dealing in oil, gas, metals, and agricultural products. * Examples: `vitol.com`, `gunvorgroup.com`, `eni.com` (also integrated), `amerexenergy.com`, `amius.com`, `pvm.co.uk`
* *Energy Companies (Integrated & Exploration/Production):* Major oil and gas companies and related services. * Examples: `totalenergies.com`, `petrobras.com`, `marathonpetroleum.com`, `p66.com`, `aramcotrading.us`
*Government & Public Sector:* Primarily U.S. government entities, including:
* *Federal Agencies:* * Examples: `cbp.dhs.gov` (Customs and Border Protection), `usss.dhs.gov` (Secret Service), `dfc.gov` (Development Finance Corporation), `who.eop.gov` (White House Office)
* *Local Government:* * Example: `dc.gov` (District of Columbia Government)
*Technology (Non-Fintech Focus):* While many tech firms are Fintech-related, some general software and IT service providers are present. * Examples: `nice.com`, `nebari.com`, `vlmsofts.com`
*Consulting:* A smaller representation, often specialized. * Example: `soteriasolutions.us` (safety/threat management)
*Real Estate:* Investment and advisory firms in the real estate sector. * Examples: `eastdilsecured.com`, `digitalbridge.com` (digital infrastructure)
*Shipping & Logistics:* Companies involved in shipping brokerage and services. * Examples: `clarksons.com`, `mcquilling-energy.com`, `freightinvestor.com`
### II. Geographical Breakdown (Based on domain extensions and company descriptions)
* *United States (Dominant):* A very large portion of the entities are U.S.-based or have significant U.S. operations. This is evident from the high number of `.com` domains associated with American companies and the presence of `.gov` domains. * Major financial centers like New York and tech hubs in California are implicitly represented (e.g., `aresmgmt.com`, `kkr.com`, `a16z.com`, `morganstanley.com`).
* *Canada:* A strong presence, particularly Scotiabank and its various divisions, along with other financial and tech firms. * Examples: `scotiabank.com`, `scotiabank.ca` (implied), `cibc.com`, `bitbuy.ca`, `wonder.fi`
* *United Kingdom:* Well-represented in finance (banking, brokerage, asset management) and commodities. London's role as a global financial hub is evident. * Examples: `cantor.co.uk`, `pvm.co.uk`, `ubauk.com`, `hbluk.com`, `rmb.co.uk`, `amcgroup.com`
* *Latin America:* Several domains indicate operations or focus in this region, with Scotiabank having a particularly strong showing. * *Mexico:* `scotiabank.com.mx`, `scotiacb.com.mx`, `scotiawealth.com.mx` * *Chile:* `scotiabank.cl`, `larrainvial.com` * *Peru:* `scotiabank.com.pe` * *Colombia:* `scotiabankcolpatria.com` * *Brazil:* `br.scotiabank.com`, `petrobras.com.br`, `bradescobank.com`, `itaubba.eu` (European arm of Brazilian bank) * *Panama:* `pa.scotiabank.com`
* *Europe (excluding UK):* * *France:* `totalenergies.com`, `ardian.com`, `mbcfrance.com` * *Switzerland:* `seba.swiss` / `aminagroup.com`, `hnwag.com`, `itau.ch` * *Monaco:* `tyruscap.mc` * *Netherlands:* `apg-am.com` * Other European presences through global firms (e.g., `itaubba.eu`).
* *Asia:* Highlighting its role as a financial hub. * *Hong Kong:* `apg-am.hk` * *Singapore:* `apg-am.sg`, `gfigroup.com.sg`, `icap.com.sg`, `sg.pimco.com`, `traditionasia.com` * *Japan:* `mitsui.com`, `tullettprebon.co.jp`, `smbcgroup.com` * *Israel:* `dbank.co.il`, `fibi.co.il`, `opco.co.il`, `nice.com` * *Indonesia:* `miraeasset.co.id`
* *Middle East:* * *UAE:* `freightinvestor.ae`, `aramcotrading.us` (US trading arm of Saudi Aramco) * General presence of firms like Alpha Wave Global with strong ties to the region.
* *Africa:* * *South Africa:* `standardbank.co.za`
* *Global:* Many firms operate globally, even if headquartered in a specific country (e.g., `a16z.com`, `kkr.com`, `morganstanley.com`).
### III. Notable Trends & Observations
* *Dominance of Financial Services:* The sheer volume of financial sector domains underscores its significant role in this context. * *Globalization of Finance:* Many financial institutions have multiple country-specific domains (e.g., Scotiabank, PIMCO, ICAP/TP ICAP), reflecting international operations. * *Rise of Digital Assets:* Numerous cryptocurrency exchanges, traders, and VCs focused on Web3 indicate the growing institutionalization of this asset class. * *Concentration of Energy Trading:* A significant number of specialized energy and commodity trading firms are present. * *Venture Capital Focus on Technology:* Many VC firms listed are known for investments in technology and, increasingly, blockchain/crypto. * *Government Presence:* Inclusion of U.S. federal and local government domains suggests interactions with these regulatory or administrative bodies. * *Prevalence of `.com`:* Despite geographical diversity, `.com` remains the most common top-level domain. * *Personal Email Addresses (`gmail.com`):* The presence of a few Gmail addresses (6 emails) is minor but indicates not all communications are necessarily from official corporate domains.
---
[flagged]
Obviously, it isn't about that. Our government just doesn't want anyone but them spying on its citizens.
It isn't even about that. Tiktok is taking market share from FAANGs. Zuckerberg has spent a pretty penny on this Tiktok disinformation campaign and if you look at the members of Congress behind the ban Tiktok bill, most of them purchased huge amounts of Meta stock before introducing it to Congress. It's corruption all the way down.
> Zuckerberg has spent a pretty penny on this Tiktok disinformation campaign
There's more than enough reports from outside the US that credibly allege TikTok is a critical factor in the radicalization and recruitment of the far-right and militant Islamism [1][2][3].
Conspiracies about Zuckerberg wanting to dunk on a competitor aside (that may or may not be real, and I'm heavily inclined to believe they are true), the threat from TikTok is real, this application needs to be exterminated at all cost before China completely tears apart our society.
[1] https://www.bpb.de/lernen/digitale-bildung/werkstatt/560523/...
[2] https://www.zdf.de/nachrichten/politik/deutschland/radikalis...
[3] https://www.tagesschau.de/inland/regional/hessen/hr-wandern-...
Both assertions can be true at the same time
> There's more than enough reports from outside the US that credibly allege TikTok is a critical factor in the radicalization and recruitment of the far-right and militant Islamism [1][2][3].
You can find literature to support that claim for Youtube, Facebook, and Twitter, not just Tiktok. The Making of a Youtube Radical was a big story back in 2019. Facebook won the election for Trump in 2016. Twitter is owned by a Nazi who routinely boost far-right conspiracy theories.
The answer isn't banning Tiktok but passing strong privacy and data legislation that affects all social media platforms. Not just Tiktok. US social media companies have been pulling on the seams of society far before Tiktok arrived.
At least we can tackle Meta, Google and Twitter with domestic courts (and the EU is already turning the screws). With Tiktok, we have about zero ways to influence them. Straight Chinese propaganda right in the brains of our children.
> With Tiktok, we have about zero ways to influence them.
I could swear the US passed a law targeted at TikTok last year. The law was precisely targeted to prevent any collateral damage on any of the American social media companies that are guilty of most or all the bad behavior leveled against TikTok.
> At least we can tackle Meta, Google and Twitter with domestic courts
We don't, and we won't (and these platforms are just as easily manipulated as TikTok), but we can, and that's what matters.
TikTok thing was about it being a mass media that was distribution Chinese and Russian propaganda and whose leadership was outside US jurisdiction.
The former is controlled by the most notable enemy of America. The latter is shitware that the government was stupid to buy. They are both threats to national security but in different ways and the government being stupid about TeleMessage doesn't mean it should ignore the threat of tik tok.
[flagged]
It's a data leak that was posted publicly online. Yes DDoSSecrets restricts access to verified journalists and security researchers but if you don't fall under that criteria you can always just get it the old fashioned way by digging around for torrents of data leaks like everyone else has done since forever.
Isn't DDoSSecrets the only one that has access to the hacked/downloaded dataset, so there wouldn't be other copies floating around unless someone else simultaneously downloaded the dataset at the same time?
Someone can prove me wrong by dropping a magnet link. :)