It wasn't a zero-day. Not a firewall breach. Not a server exploit.
Just a password.
On June 7, 2026, a French civil servant's Tchap account was hijacked—not by some shadowy Russian APT, not by a nation-state with a billion-dollar budget, but by a hacker who phished a credential. And in doing so, they cracked open the entire edifice of France's digital sovereignty.
DINUM, the government's digital affairs directorate, confirmed the breach the next day. ANSSI, the national cybersecurity agency, had detected the anomalous activity. The account was blocked. The logs were being reviewed. The public was told: "Only public chat rooms were accessed. Nothing encrypted was touched."
But the attacker, calling themselves 'Misère,' had a different story.
They claimed to have scraped 650,000 messages. 13.5GB of files. 73,000 user profiles. And worse—they claimed that once you had a single message with a media ID, you could download any file ever shared on Tchap, across any shard, without authentication.
No one from DINUM has confirmed that last part.
And that silence? That's the real breach.
Because Tchap wasn't just an app. It was a promise.
A promise that France, tired of relying on WhatsApp and Slack, could build its own secure, sovereign communication platform. A promise that civil servants could talk about budgets, procurement, even sensitive policy drafts without fear of foreign surveillance.
That promise is now in tatters. Not because the encryption failed. But because the human layer did.
And in the age of AI-driven phishing, that's the most dangerous vulnerability of all.
The Attack: Social Engineering, Not Code
The attacker didn't crack Tchap's encryption. They didn't exploit a flaw in the Matrix protocol. They didn't even need to touch the backend.
They called someone.
According to the attacker's own claims—published on dark-web channels and later echoed by French OSINT analysts—they targeted the education shard of Tchap: matrix.agent.education.tchap.gouv.fr. They didn't brute-force. They didn't spray passwords. They social engineered.
A call. A fake IT ticket. A spoofed email from "DINUM Compliance." Maybe a LinkedIn message from a "colleague" in the Ministry of Education. The attacker didn't need to be sophisticated. They just needed to be convincing.
And they got lucky.
One account. One compromised credential. And suddenly, they had access to everything that account could see.
DINUM's official statement is cautious: "The account originating the malicious requests has been identified and blocked." That's it. No details on how the credential was obtained. No mention of whether the user had MFA enabled. No word on whether the account was a high-value target or just some mid-level bureaucrat who clicked a bad link.
But here's what we do know: Tchap's architecture treats every logged-in client as the user. If you're logged in, you're trusted. The encryption protects messages in transit—but if you're the user, you can see their private chats, their files, their meeting invites.
That's not a flaw in the protocol. That's how end-to-end encryption works.
The problem isn't Tchap. The problem is the assumption that a user account is a fortress.
It's not.
It's a door. And someone just handed the key to a stranger.
And here's the kicker: the attacker claims they used a directory-search function to enumerate users across the entire platform. That means they didn't just access one account—they used it as a key to map the entire French public sector's communication network.
If that's true? That's not a breach.
That's an intelligence harvest.
And we still don't know if DINUM has confirmed it.
Why?
Because admitting that would mean admitting that Tchap's architecture, designed to be secure, is also dangerously opaque. That the same design that protects private chats also makes user enumeration trivial.
And that's the kind of admission that makes politicians panic.
So they stay silent.
And the public? They're left wondering: if this is what happens with a single account, what happens when a real threat actor comes after the whole system?
The Numbers Game: Who's Lying?
Let's talk numbers.
DINUM says: 73,467 of 825,000 registered users were affected. That's 8.9%. They're careful. They're measured. They're trying to calm the panic.
The attacker says: 73,000 accounts. 650,000 messages. 13.5GB of files. 90 documents marked 'Diffusion Restreinte.'
Same number of accounts.
But the attacker's numbers? They're specific. Too specific.
And here's the thing: no one from DINUM has denied them.
That's not an accident.
SecurityWeek, TNW, and SafeState all report the same thing: French infosec analysts have deliberately kept these numbers out of breach trackers. Why? Because there's no independent verification. The original attacker post is gone. The OSINT community FrenchBreaches only relayed it. No screenshots. No hashes. No proof.
But here's the paradox: if the attacker is lying, why would they match DINUM's exact figure for affected accounts? Why not say 150,000? Or 200,000? Why align so precisely?
The only explanation that makes sense is this: the attacker knows the truth.
They're not bluffing.
They've seen the logs.
And here's what's terrifying: if the attacker's claims are even partially true, this wasn't a random hack.
This was a reconnaissance mission.
The 90 documents marked 'Diffusion Restreinte'? Those aren't random files. Those are classified. Or at least, restricted. Budgets. Internal memos. Policy drafts. Communications between ministries.
And if the attacker could access them? Then they didn't just steal data.
They mapped France's bureaucratic nervous system.
The Real Vulnerability: Trust in the System
Tchap was never supposed to be perfect.
It was supposed to be ours.
Not American. Not Russian. Not Chinese.
French.
That's the entire point.
When Prime Minister François Bayrou mandated Tchap use across all ministries in August 2025, he wasn't just pushing a new app.
He was making a political statement.
France was declaring independence from Silicon Valley's surveillance capitalism.
No more WhatsApp.
No more Slack.
No more cloud servers in Virginia or Dublin.
All government communication would live on French soil, on French code, under French oversight.
And for a while, it worked.
Over 300,000 monthly users. Half a million downloads. A platform built from the ground up with ANSSI's guidance.
But here's the irony: the more France leaned into sovereignty, the more it forgot the first rule of cybersecurity.
It's not about the code.
It's about the people.
Tchap's encryption is solid. The Matrix protocol is battle-tested. The infrastructure is onshore.
But the login page? That's still just a username and password.
And someone, somewhere, clicked a phishing link. The same social engineering playbook that powers callback scams—like the Shopify Shop App exploitation where fake receipts trick users into calling fraudulent support lines—relies on urgency, authority, and the willingness to trust a familiar interface.
The attacker didn't need to be a genius.
They just needed to be patient.
And they needed France to believe its own propaganda.
That sovereign tech = secure tech.
That's the lie.
Because sovereignty doesn't stop social engineering.
It doesn't stop tired civil servants from reusing passwords.
It doesn't stop someone from calling a regional tax office and saying, "I'm from DINUM, we need to reset your Tchap credentials for compliance."
And that's the real vulnerability.
Not the platform.
The culture.
The Fallout: A Nation's Digital Identity in Question
The Tchap breach didn't just expose messages.
It exposed France's digital identity.
This wasn't just another data leak.
It was a symbolic collapse.
Because Tchap was more than a messaging app.
It was a symbol.
A symbol that France could build its own digital future.
And now? That symbol is broken.
The breach comes just weeks after the ANTS incident, where a 15-year-old was detained for selling stolen data from 11.7 million French citizens.
Two massive breaches in under three months.
One targeting identity documents. One targeting government communications.
And both exploited the same weakness: human trust.
It's not a coincidence.
It's a pattern.
France has poured billions into sovereign tech—Linux migration, AI labs, data centers in Normandy.
But they've poured almost nothing into user training.
No mandatory phishing simulations.
No mandatory MFA enforcement. As detailed in our analysis of how attackers bypass MFA, even when multi-factor authentication is enabled, device code phishing and OAuth workflow exploits can circumvent it entirely.
No real-time alerts when an account logs in from an unknown device.
Just a platform.
And the hope that people would use it right.
That's not security.
That's wishful thinking.
What Comes Next? The Real Work Begins
The investigation is ongoing.
DINUM says they're analyzing logs.
ANSSI says they're tracing the attack path.
CNIL says they're preparing a report.
But here's the truth:
The real work hasn't even started.
Because the breach is over.
The damage? That's just beginning.
The 73,000 affected users? They're now prime targets for spear-phishing.
The attacker has their names. Their emails. Their departments. Their meeting links.
They know who works in the Ministry of Finance. Who's on the education committee. Who's drafting the next climate policy.
And they know exactly how to reach them.
Because now, they don't need to guess.
They have the playbook.
And it's not just about phishing.
It's about trust.
Because if a civil servant believes their government can't even secure a messaging app, why would they believe it can secure their pensions? Their health records? Their tax data?
The erosion of trust is the quietest, most dangerous consequence.
So what's next?
First: mandatory MFA for every Tchap user. No exceptions.
Second: real-time user behavior monitoring. If someone logs in from a new device, or at 3 a.m., trigger an alert.
Third: a public audit of the media ID flaw. If files can be downloaded without authentication, fix it. Now.
And fourth: stop pretending this is just a technical problem.
It's not.
It's a cultural failure.
France needs a national cybersecurity literacy campaign.
Not a poster.
Not a PowerPoint.
A real, ongoing, mandatory training program—like driver's ed, but for digital hygiene.
Because the next breach won't be on Tchap.
It'll be on the next sovereign platform.
And if we don't fix the human layer now?
We'll be saying the same thing in five years.
"It was just a password."
And the cycle will start again.