HN Reader

TeleMessage Explorer: a new open source research tool

114 micahflee 59 5/26/2025, 2:50:48 PM micahflee.com ↗
See also: TeleMessage customers include DC Police, Andreessen Horowitz, JP Morgan, and hundreds more: https://micahflee.com/telemessage-customers-include-dc-polic...

Comments (59)

klooney · 2d ago
https://shewantstheisrd.myshopify.com/products/clean-on-opse... I found the sticker
9dev · 2d ago
That one is pure gold.
lzy · 1d ago
The TeleMessage dataset is massive and messy, and this tool lowers the barrier for journalists and researchers to extract meaningful insights. It’s also a reminder that “secure” enterprise tools often aren’t—especially when they’re built to satisfy compliance checkboxes rather than actual security principles. The fact that TM Signal was used by senior officials makes the plaintext logging and key exposure even more alarming. Kudos to Micah for not just reporting the breach but also enabling others to dig deeper.
specproc · 2d ago
What seemed to be interesting from the email addresses disclosed is that there are a hell of a lot of people engaged in finance, investment or trading of one sort or another.

There are a few there with enough emails for it to be relatively widespread within the institution: Scotiabank, JPMorgan, KKR and Jeffries stand out -- Scotiabank has hundreds of emails, I imagine they're having a bad week. Also a lot of energy stuff, Aramco, Total.

a_dabbler · 3h ago
I don't think a banks email being there indicates they use the service, more likely a customer of theirs uses TeleMessage and as a result the comms between that bank customer and the bank are in the breach
jxjnskkzxxhx · 2d ago
Do you understand how emails come into this? I thought signal used only phone numbers...
tough · 2d ago
Since TeleMessage is not really signal but just a front the israelis want your email to signup (its mostly an enterprise service, so you either pay and they know who you are already) etc

this is like slack for signal

ComputerGuru · 2d ago
I don’t understand the value proposition of TeleMessage. Uses Signal but defeats the point of using Signal. Why not use a proper centralized chat with actual retention and encryption?
btown · 2d ago
If you need your partners/bankers/salespeople/cabinet-level officials etc. to be able to converse with their clients on the E2E encrypted systems those clients already use, like WhatsApp and Signal, but maintain retention for legal or internal data-mining reasons, the only way to do that is to have a modified client, perhaps cracked or forked from an official client, that speaks the same wire protocol, but copies messages to separate storage.

Now, such a system could be set up to route those copied messages in a separately E2E-encrypted way to the client's in-house/on-prem archival systems, and have the client be responsible for implementing decryption and secure storage at rest. But it's far easier to just sell a centralized cloud-based archival/retrieval system - which must necessarily be able to decrypt messages, and thus makes for an incredibly juicy target.

Given the supply-chain risks of the provider offering the customized clients anyways, one would expect them to have a strong security focus... but it certainly seems this was not the case.

JumpCrisscross · 2d ago
> the only way to do that is to have a modified client

My firm requires screenshots. If the concern is that someone would bypass that, well, someone could bypass TeleMessage, too.

mingus88 · 2d ago
One has to wonder what type of legal requirement this satisfies.

It certainly wouldn’t hold up to the “beyond a reasonable doubt” standard for US criminal prosecution.

I’ve been exposed to “lit holds” for various document management system before and usually a third party such as Box or Microsoft can attest to the immutability of files placed under lit hold, and/or there is an audit trail to make sure the chain of custody is intact.

JumpCrisscross · 2d ago
> what type of legal requirement this satisfies

Typically between commercially reasonable and best efforts.

> been exposed to “lit holds” for various document management system before

I think these are held to a higher standard than run-of-the-mill securities compliance.

bee_rider · 2d ago
I wonder if it is just organizations that don't really care about anything other than brand name (signal is known as pretty good, right) and CYA.

Like it might legitimately be the case that you personally have expended more brainpower trying to understand the decision than they put into making it.

cryptonector · 2d ago
This is probably it.

Or there might be an issue with trusting their own IT departments. With Signal they don't even have to trust Signal (haha, but they might think that you know).

There's another possibility: NSA told them to use Signal w/ TeleMessage so that NSA could see everything because they have an agreement with TeleMessage or because NSA knows about all these vulns in TeleMessage.

There's other possibilities too.

ls612 · 2d ago
You might be subject to compliance requirements for archival but also want to talk to other people who use signal.
kevincox · 2d ago
For example DC Police may have confidential informants who would be best to use Signal because that isn't unusual. But the people there are communicating need to retain the communication.
whatshisface · 2d ago
So basically, you tell at-risk people they're E2E, but keep a copy on whatever storage system you want to use and send another to your friends.
bee_rider · 2d ago
This is the fundamental problem that end-to-end encryption doesn’t solve, right? If the person on the other end is malicious or really dumb they can still leak your messages.
ls612 · 2d ago
E2EE’s biggest use case is preventing the government from reading your messages. If you are messaging the government (or are in the government) then this isn’t relevant.
mingus88 · 2d ago
This has always been possible with screenshots. SGNL is just an enterprise solution.

At the end of they day you need to trust who you are talking to and never over share.

kevincox · 2d ago
E2E means that the messaging provider can't read the messages. The receiver can still see the messages and do whatever they want with them.
Spooky23 · 2d ago
Most people don’t care about anonymous communication. The agendas of those who do vary.

Signal is essentially iMessage that works in Android for all intents. Supporting it lets you communicate with outside entities. Otherwise the only mechanism to do so is email, which is problematic at best.

Government and finance are required by law to archive and audit communications. Some companies do anyway to keep tabs on staff.

cryptonector · 2d ago
> Why not use a proper centralized chat with actual retention and encryption?

This is the right question to ask. It might be that such a thing doesn't quite exist in the way that the customers want (doubtful; Slack should work just fine), or more likely it might be a cultural issue (that Signal is ingrained in some of these executives' minds as _the_ secure system to use, and/or that they don't want Slack/Whatever to be the service provider for IM _and_ the service provider for retention, or that they don't want Slack/Whatever with on-prem services because they don't trust their own IT, etc.).

Obviously TeleMessage's value add is to add retention to Signal, which defeats the point of Signal. That leads me to think that the motivation is cultural.

aspenmayer · 1d ago
> I don’t understand the value proposition of TeleMessage. Uses Signal but defeats the point of using Signal.

I kind of feel the same way about Signal itself due to its reliance on phone numbers.

ocdtrekkie · 2d ago
Considering they accidentally included a journalist, compatibility with the existing user network. If you need logged chat with normal Signal users, TeleMessage would probably be the way to do this.
cavisne · 1d ago
Only one person in the groupchat needs to be using Telemessage, ie. a CIA agent can use a government device with Telemessage to talk to sources on Signal. Signal has a great protocol & robust clients, and getting caught with Signal on your phone is probably a bit better than being caught with CIAChat on your phone.

The actual implementation here is atrocious though.

throw10920 · 2d ago
I'm hoping that this will be yet another shot in the war to convice corporations and government agencies that they need to have on-prem data hosting that isn't accessible to the company running the service. I don't think you can do full E2E between individual employees in a corporate setting, but at the very least if all of the organization's data is only accessible to the organization, that'll help with a lot of these third-party data beaches.

(it won't help when the organization is beached, which unfortunately still seems to be the main way that user data gets leaked)

Ultimately, though, until there starts to be federal law mandating chain of custody for user data and harsh penalties on it being leaked, I think that this will continue for a long time...

Update: I should have read the article - did not realize TeleMessage was supposed to be E2E. I guess now the lesson is that you shouldn't be using normal devices for national security information (classified or not), and otherwise it's still not good to use a sketchy service that doesn't have Moxie-grade crypto implementations.

AtlasBarfed · 2d ago
If a company knows something about you, so does the government(s).

This is exactly the state of affairs the government prefers.

Privacy and consumer protection long died on the altar of turnkey totalitarian universal monitoring.

By having corps do the creepiest data collection, whatever all political opposition to the complete surveillance state is bypassed

reactordev · 2d ago
Just so long as every once in a while, they convince some junior senator to hold a hearing to throw some executive at them that will use it as a way of earning clout within the company and no one cares about the outcome. The junior senator will lament about their political opponents, the committee will pat itself on the back for doing their job, the corporate crony will report back to the board that they delivered the talking points, and it will go right back to business as usual.
layer8 · 2d ago
To the extent that this is the case, or more importantly, can become the case, that is why the concept of data parsimony is important: https://martinfowler.com/bliki/Datensparsamkeit.html

https://news.ycombinator.com/item?id=23710925

throw10920 · 2d ago
This is a beautiful word for a useful concept, thank you!
JumpCrisscross · 2d ago
> if a company knows something about you, so does the government(s)

The constant litigation between the government and private companies over records requests should put this hypothesis to bed.

AtlasBarfed · 2d ago
The black box rooms in the telecom forms two decades ago beg to differ

What you are talking about is small fry law enforcement.

If you don't think the new has total access to the databases of the thousands of social network and advertising/data collection firms, I don't know what to tell you.

Maybe something totally encrypted, but even then there is hardware backdoors, and the NSA can simply pay an employee to legally let them in.

globie · 2d ago
They only need to pay off or install a single employee to get total or near-total access. Consider this chart from 2013 showing when various tech companies were added to PRISM:

https://upload.wikimedia.org/wikipedia/commons/c/c7/Prism_sl...

A lot of the companies embattled in the "constant litigation" mentioned by the GP are featured in this very chart.

JumpCrisscross · 2d ago
> lot of the companies embattled in the "constant litigation" mentioned by the GP are featured in this very chart

Yup. A great first step towards understanding these systems is to disaggregate the monoliths of these enterprises and the U.S. government into their power centres.

globie · 2d ago
Do you believe the disaggregation of those monoliths helps to put the "hypothesis to bed"? It sure seems like you were listing "constant litigation" over "records request" as counterevidence of the claim that "if a company knows something about you, so does the government(s)".

If anyone in the U.S. government is extracting data from companies in a manner which is unlawful or should be (and they sure are), I see that as strong evidence of the hypothesis. Pointing out that local agencies may have to fight for their access in court doesn't change that it "is exactly the state of affairs the government prefers".

JumpCrisscross · 2d ago
> sure seems like you were listing "constant litigation" over "records request" as counterevidence of the claim that "if a company knows something about you, so does the government(s)"

Yes. Just because the NSA can access some data doesn’t mean the entire federal government, including the NSA, has it.

> local agencies may have to fight for their access

The White House is fighting Harvard for student records. I don’t think people appreciate the degree to which information is siloed, intentionally and unintentionally, in the federal government. (It’s what led to DOGE likely committing multiple felonies.)

globie · 1d ago
>I don’t think people appreciate the degree to which information is siloed, intentionally and unintentionally, in the federal government.

Thanks for that. Information can be completely siloed and the statements "If a company knows something about you, so does the government(s)" and "This is exactly the state of affairs the government prefers" still be correct.

Is your belief that the federal government has not actually purchased hordes of corporate surveillance data? Or is it that because there are examples of information being siloed or not available, that means it's okay or a non-issue that Americans' data that was once unlawfully collected is now still unlawfully collected but also collected by corporations and purchased wholesale by the federal government?

throw10920 · 2d ago
This is pretty significantly off-topic, but I'll respond anyway:

(a) That's one of the reasons why it's important to restrict corporate data collection in addition to state data collection; and

(b) In the vast majority of cases, the US government at least, has to obtain a warrant to collect data on US citizens, so those two sets are not the same

I agree with the idea that most governments around the world have far more access to corporate data than they should, but I wouldn't go as far as to say that they have complete access (with caveats - the US has more protections than most of the rest of the world, for instance, and China has far less).

globie · 2d ago
>In the vast majority of cases, the US government at least, has to obtain a warrant to collect data on US citizens, so those two sets are not the same

If only that were true[0][1][2][3].

[0] (2022): https://fedscoop.com/dhs-buying-personal-data-from-govt-cont...

[1] (2023): https://www.congress.gov/118/meeting/house/116192/documents/...

[2] (2024): https://www.cnn.com/2024/01/26/tech/the-nsa-buys-americans-i...

[3] (2025): https://theintercept.com/2025/05/22/intel-agencies-buying-da...

cypherpunks01 · 1d ago
Signal is licensed under GNU AGPLv3 - think there will be any action against the company for license violations? I suppose it's the least of their liabilities, but just wondering.
cavisne · 1d ago
The signal protocol is public, using their servers is frowned upon but its not a source code license violation.
tamirmag · 2d ago
Does the importer validate heapdump JSON and flag malformed records before they reach PostgreSQL?
klooney · 2d ago
Heap dumps on the Internet. Java ecosystem has some criminal defaults.
mdhb · 2d ago
It’s truly wild that something like this exists. It really speaks to the unfathomable levels of incompetence that this is what the Trump administration was using to plan military operations over.
owlninja · 2d ago
And we all drop our jaws, wonder what is happening, and then wake up to a slurry of new stories.
heywoods · 2d ago
From the other article which shared the email domains found in the heap. Sorry in advance for the poor formatting.

---

Source: `https://micahflee.com/telemessage-customers-include-dc-polic...`

### I. Industry Breakdown

*Financial Services (Dominant):* This is by far the most represented sector. It encompasses a wide array of sub-sectors:

* *Investment Banking & Brokerage:* A large number of domains belong to global and regional investment banks, interdealer brokers, and brokerage firms. * Examples: `jefferies.com`, `morganstanley.com`, `cantor.com`, `tpicap.com`, `bgcg.com`, `rjobrien.com`, `clarksons.com` (shipping finance/brokerage)

* *Asset & Investment Management:* Numerous firms managing diverse asset classes for institutional and private clients are present. * Examples: `kkr.com`, `aresmgmt.com`, `pimco.com`, `nuveen.com`, `franklintempleton.com`, `apg-am.com`

* *Banking (Commercial & Private):* Major multinational and regional banks are included, covering commercial, private, and retail banking. * Examples: `jpmorgan.com`, `bbva.com`, `cibc.com`, `scotiabank.com` (and its numerous regional variations), `bradescobank.com`, `safra.com`, `standardbank.co.za`, `dbank.co.il`

* *Wealth Management:* Firms specializing in wealth advisory for high-net-worth individuals are visible. * Examples: `gentrustwm.com`, `boltonglobal.com`, `rohrpwm.com`

* *Cryptocurrency & Digital Assets:* A significant and growing sub-sector, with exchanges, trading firms, and investment managers focusing on digital assets. * Examples: `coinbase.com`, `galaxydigital.io`, `b2c2.com`, `hiddenroad.com`, `aminagroup.com` (formerly SEBA), `panteracapital.com`

* *Fintech & Financial Technology:* Companies providing technology solutions for the financial industry, including trading platforms and compliance tools. * Examples: `smarsh.com`, `telemessage.com`, `interactivebrokers.com`

* *Venture Capital & Private Equity:* A strong showing of firms investing across various stages and sectors, from early-stage tech to large buyouts. * Examples: `a16z.com`, `sequoiacap.com` (implied), `vistaequitypartners.com`, `lcatterton.com`, `ardian.com`, `tigerglobal.com`, `tcv.com`, `bitkraft.vc`, `blockchaincapital.com`

*Energy & Commodities:* This sector is well-represented by:

* *Trading Houses:* Global and regional commodity traders dealing in oil, gas, metals, and agricultural products. * Examples: `vitol.com`, `gunvorgroup.com`, `eni.com` (also integrated), `amerexenergy.com`, `amius.com`, `pvm.co.uk`

* *Energy Companies (Integrated & Exploration/Production):* Major oil and gas companies and related services. * Examples: `totalenergies.com`, `petrobras.com`, `marathonpetroleum.com`, `p66.com`, `aramcotrading.us`

*Government & Public Sector:* Primarily U.S. government entities, including:

* *Federal Agencies:* * Examples: `cbp.dhs.gov` (Customs and Border Protection), `usss.dhs.gov` (Secret Service), `dfc.gov` (Development Finance Corporation), `who.eop.gov` (White House Office)

* *Local Government:* * Example: `dc.gov` (District of Columbia Government)

*Technology (Non-Fintech Focus):* While many tech firms are Fintech-related, some general software and IT service providers are present. * Examples: `nice.com`, `nebari.com`, `vlmsofts.com`

*Consulting:* A smaller representation, often specialized. * Example: `soteriasolutions.us` (safety/threat management)

*Real Estate:* Investment and advisory firms in the real estate sector. * Examples: `eastdilsecured.com`, `digitalbridge.com` (digital infrastructure)

*Shipping & Logistics:* Companies involved in shipping brokerage and services. * Examples: `clarksons.com`, `mcquilling-energy.com`, `freightinvestor.com`

### II. Geographical Breakdown (Based on domain extensions and company descriptions)

* *United States (Dominant):* A very large portion of the entities are U.S.-based or have significant U.S. operations. This is evident from the high number of `.com` domains associated with American companies and the presence of `.gov` domains. * Major financial centers like New York and tech hubs in California are implicitly represented (e.g., `aresmgmt.com`, `kkr.com`, `a16z.com`, `morganstanley.com`).

* *Canada:* A strong presence, particularly Scotiabank and its various divisions, along with other financial and tech firms. * Examples: `scotiabank.com`, `scotiabank.ca` (implied), `cibc.com`, `bitbuy.ca`, `wonder.fi`

* *United Kingdom:* Well-represented in finance (banking, brokerage, asset management) and commodities. London's role as a global financial hub is evident. * Examples: `cantor.co.uk`, `pvm.co.uk`, `ubauk.com`, `hbluk.com`, `rmb.co.uk`, `amcgroup.com`

* *Latin America:* Several domains indicate operations or focus in this region, with Scotiabank having a particularly strong showing. * *Mexico:* `scotiabank.com.mx`, `scotiacb.com.mx`, `scotiawealth.com.mx` * *Chile:* `scotiabank.cl`, `larrainvial.com` * *Peru:* `scotiabank.com.pe` * *Colombia:* `scotiabankcolpatria.com` * *Brazil:* `br.scotiabank.com`, `petrobras.com.br`, `bradescobank.com`, `itaubba.eu` (European arm of Brazilian bank) * *Panama:* `pa.scotiabank.com`

* *Europe (excluding UK):* * *France:* `totalenergies.com`, `ardian.com`, `mbcfrance.com` * *Switzerland:* `seba.swiss` / `aminagroup.com`, `hnwag.com`, `itau.ch` * *Monaco:* `tyruscap.mc` * *Netherlands:* `apg-am.com` * Other European presences through global firms (e.g., `itaubba.eu`).

* *Asia:* Highlighting its role as a financial hub. * *Hong Kong:* `apg-am.hk` * *Singapore:* `apg-am.sg`, `gfigroup.com.sg`, `icap.com.sg`, `sg.pimco.com`, `traditionasia.com` * *Japan:* `mitsui.com`, `tullettprebon.co.jp`, `smbcgroup.com` * *Israel:* `dbank.co.il`, `fibi.co.il`, `opco.co.il`, `nice.com` * *Indonesia:* `miraeasset.co.id`

* *Middle East:* * *UAE:* `freightinvestor.ae`, `aramcotrading.us` (US trading arm of Saudi Aramco) * General presence of firms like Alpha Wave Global with strong ties to the region.

* *Africa:* * *South Africa:* `standardbank.co.za`

* *Global:* Many firms operate globally, even if headquartered in a specific country (e.g., `a16z.com`, `kkr.com`, `morganstanley.com`).

### III. Notable Trends & Observations

* *Dominance of Financial Services:* The sheer volume of financial sector domains underscores its significant role in this context. * *Globalization of Finance:* Many financial institutions have multiple country-specific domains (e.g., Scotiabank, PIMCO, ICAP/TP ICAP), reflecting international operations. * *Rise of Digital Assets:* Numerous cryptocurrency exchanges, traders, and VCs focused on Web3 indicate the growing institutionalization of this asset class. * *Concentration of Energy Trading:* A significant number of specialized energy and commodity trading firms are present. * *Venture Capital Focus on Technology:* Many VC firms listed are known for investments in technology and, increasingly, blockchain/crypto. * *Government Presence:* Inclusion of U.S. federal and local government domains suggests interactions with these regulatory or administrative bodies. * *Prevalence of `.com`:* Despite geographical diversity, `.com` remains the most common top-level domain. * *Personal Email Addresses (`gmail.com`):* The presence of a few Gmail addresses (6 emails) is minor but indicates not all communications are necessarily from official corporate domains.

---