TeleMessage Explorer: a new open source research tool
114 micahflee 59 5/26/2025, 2:50:48 PM micahflee.com ↗
See also: TeleMessage customers include DC Police, Andreessen Horowitz, JP Morgan, and hundreds more:
https://micahflee.com/telemessage-customers-include-dc-polic...
There are a few there with enough emails for it to be relatively widespread within the institution: Scotiabank, JPMorgan, KKR and Jeffries stand out -- Scotiabank has hundreds of emails, I imagine they're having a bad week. Also a lot of energy stuff, Aramco, Total.
this is like slack for signal
Now, such a system could be set up to route those copied messages in a separately E2E-encrypted way to the client's in-house/on-prem archival systems, and have the client be responsible for implementing decryption and secure storage at rest. But it's far easier to just sell a centralized cloud-based archival/retrieval system - which must necessarily be able to decrypt messages, and thus makes for an incredibly juicy target.
Given the supply-chain risks of the provider offering the customized clients anyways, one would expect them to have a strong security focus... but it certainly seems this was not the case.
My firm requires screenshots. If the concern is that someone would bypass that, well, someone could bypass TeleMessage, too.
It certainly wouldn’t hold up to the “beyond a reasonable doubt” standard for US criminal prosecution.
I’ve been exposed to “lit holds” for various document management system before and usually a third party such as Box or Microsoft can attest to the immutability of files placed under lit hold, and/or there is an audit trail to make sure the chain of custody is intact.
Typically between commercially reasonable and best efforts.
> been exposed to “lit holds” for various document management system before
I think these are held to a higher standard than run-of-the-mill securities compliance.
Like it might legitimately be the case that you personally have expended more brainpower trying to understand the decision than they put into making it.
Or there might be an issue with trusting their own IT departments. With Signal they don't even have to trust Signal (haha, but they might think that you know).
There's another possibility: NSA told them to use Signal w/ TeleMessage so that NSA could see everything because they have an agreement with TeleMessage or because NSA knows about all these vulns in TeleMessage.
There's other possibilities too.
At the end of they day you need to trust who you are talking to and never over share.
Signal is essentially iMessage that works in Android for all intents. Supporting it lets you communicate with outside entities. Otherwise the only mechanism to do so is email, which is problematic at best.
Government and finance are required by law to archive and audit communications. Some companies do anyway to keep tabs on staff.
This is the right question to ask. It might be that such a thing doesn't quite exist in the way that the customers want (doubtful; Slack should work just fine), or more likely it might be a cultural issue (that Signal is ingrained in some of these executives' minds as _the_ secure system to use, and/or that they don't want Slack/Whatever to be the service provider for IM _and_ the service provider for retention, or that they don't want Slack/Whatever with on-prem services because they don't trust their own IT, etc.).
Obviously TeleMessage's value add is to add retention to Signal, which defeats the point of Signal. That leads me to think that the motivation is cultural.
I kind of feel the same way about Signal itself due to its reliance on phone numbers.
The actual implementation here is atrocious though.
(it won't help when the organization is beached, which unfortunately still seems to be the main way that user data gets leaked)
Ultimately, though, until there starts to be federal law mandating chain of custody for user data and harsh penalties on it being leaked, I think that this will continue for a long time...
Update: I should have read the article - did not realize TeleMessage was supposed to be E2E. I guess now the lesson is that you shouldn't be using normal devices for national security information (classified or not), and otherwise it's still not good to use a sketchy service that doesn't have Moxie-grade crypto implementations.
This is exactly the state of affairs the government prefers.
Privacy and consumer protection long died on the altar of turnkey totalitarian universal monitoring.
By having corps do the creepiest data collection, whatever all political opposition to the complete surveillance state is bypassed
https://news.ycombinator.com/item?id=23710925
The constant litigation between the government and private companies over records requests should put this hypothesis to bed.
What you are talking about is small fry law enforcement.
If you don't think the new has total access to the databases of the thousands of social network and advertising/data collection firms, I don't know what to tell you.
Maybe something totally encrypted, but even then there is hardware backdoors, and the NSA can simply pay an employee to legally let them in.
https://upload.wikimedia.org/wikipedia/commons/c/c7/Prism_sl...
A lot of the companies embattled in the "constant litigation" mentioned by the GP are featured in this very chart.
Yup. A great first step towards understanding these systems is to disaggregate the monoliths of these enterprises and the U.S. government into their power centres.
If anyone in the U.S. government is extracting data from companies in a manner which is unlawful or should be (and they sure are), I see that as strong evidence of the hypothesis. Pointing out that local agencies may have to fight for their access in court doesn't change that it "is exactly the state of affairs the government prefers".
Yes. Just because the NSA can access some data doesn’t mean the entire federal government, including the NSA, has it.
> local agencies may have to fight for their access
The White House is fighting Harvard for student records. I don’t think people appreciate the degree to which information is siloed, intentionally and unintentionally, in the federal government. (It’s what led to DOGE likely committing multiple felonies.)
Thanks for that. Information can be completely siloed and the statements "If a company knows something about you, so does the government(s)" and "This is exactly the state of affairs the government prefers" still be correct.
Is your belief that the federal government has not actually purchased hordes of corporate surveillance data? Or is it that because there are examples of information being siloed or not available, that means it's okay or a non-issue that Americans' data that was once unlawfully collected is now still unlawfully collected but also collected by corporations and purchased wholesale by the federal government?
(a) That's one of the reasons why it's important to restrict corporate data collection in addition to state data collection; and
(b) In the vast majority of cases, the US government at least, has to obtain a warrant to collect data on US citizens, so those two sets are not the same
I agree with the idea that most governments around the world have far more access to corporate data than they should, but I wouldn't go as far as to say that they have complete access (with caveats - the US has more protections than most of the rest of the world, for instance, and China has far less).
If only that were true[0][1][2][3].
[0] (2022): https://fedscoop.com/dhs-buying-personal-data-from-govt-cont...
[1] (2023): https://www.congress.gov/118/meeting/house/116192/documents/...
[2] (2024): https://www.cnn.com/2024/01/26/tech/the-nsa-buys-americans-i...
[3] (2025): https://theintercept.com/2025/05/22/intel-agencies-buying-da...
---
Source: `https://micahflee.com/telemessage-customers-include-dc-polic...`
### I. Industry Breakdown
*Financial Services (Dominant):* This is by far the most represented sector. It encompasses a wide array of sub-sectors:
* *Investment Banking & Brokerage:* A large number of domains belong to global and regional investment banks, interdealer brokers, and brokerage firms. * Examples: `jefferies.com`, `morganstanley.com`, `cantor.com`, `tpicap.com`, `bgcg.com`, `rjobrien.com`, `clarksons.com` (shipping finance/brokerage)
* *Asset & Investment Management:* Numerous firms managing diverse asset classes for institutional and private clients are present. * Examples: `kkr.com`, `aresmgmt.com`, `pimco.com`, `nuveen.com`, `franklintempleton.com`, `apg-am.com`
* *Banking (Commercial & Private):* Major multinational and regional banks are included, covering commercial, private, and retail banking. * Examples: `jpmorgan.com`, `bbva.com`, `cibc.com`, `scotiabank.com` (and its numerous regional variations), `bradescobank.com`, `safra.com`, `standardbank.co.za`, `dbank.co.il`
* *Wealth Management:* Firms specializing in wealth advisory for high-net-worth individuals are visible. * Examples: `gentrustwm.com`, `boltonglobal.com`, `rohrpwm.com`
* *Cryptocurrency & Digital Assets:* A significant and growing sub-sector, with exchanges, trading firms, and investment managers focusing on digital assets. * Examples: `coinbase.com`, `galaxydigital.io`, `b2c2.com`, `hiddenroad.com`, `aminagroup.com` (formerly SEBA), `panteracapital.com`
* *Fintech & Financial Technology:* Companies providing technology solutions for the financial industry, including trading platforms and compliance tools. * Examples: `smarsh.com`, `telemessage.com`, `interactivebrokers.com`
* *Venture Capital & Private Equity:* A strong showing of firms investing across various stages and sectors, from early-stage tech to large buyouts. * Examples: `a16z.com`, `sequoiacap.com` (implied), `vistaequitypartners.com`, `lcatterton.com`, `ardian.com`, `tigerglobal.com`, `tcv.com`, `bitkraft.vc`, `blockchaincapital.com`
*Energy & Commodities:* This sector is well-represented by:
* *Trading Houses:* Global and regional commodity traders dealing in oil, gas, metals, and agricultural products. * Examples: `vitol.com`, `gunvorgroup.com`, `eni.com` (also integrated), `amerexenergy.com`, `amius.com`, `pvm.co.uk`
* *Energy Companies (Integrated & Exploration/Production):* Major oil and gas companies and related services. * Examples: `totalenergies.com`, `petrobras.com`, `marathonpetroleum.com`, `p66.com`, `aramcotrading.us`
*Government & Public Sector:* Primarily U.S. government entities, including:
* *Federal Agencies:* * Examples: `cbp.dhs.gov` (Customs and Border Protection), `usss.dhs.gov` (Secret Service), `dfc.gov` (Development Finance Corporation), `who.eop.gov` (White House Office)
* *Local Government:* * Example: `dc.gov` (District of Columbia Government)
*Technology (Non-Fintech Focus):* While many tech firms are Fintech-related, some general software and IT service providers are present. * Examples: `nice.com`, `nebari.com`, `vlmsofts.com`
*Consulting:* A smaller representation, often specialized. * Example: `soteriasolutions.us` (safety/threat management)
*Real Estate:* Investment and advisory firms in the real estate sector. * Examples: `eastdilsecured.com`, `digitalbridge.com` (digital infrastructure)
*Shipping & Logistics:* Companies involved in shipping brokerage and services. * Examples: `clarksons.com`, `mcquilling-energy.com`, `freightinvestor.com`
### II. Geographical Breakdown (Based on domain extensions and company descriptions)
* *United States (Dominant):* A very large portion of the entities are U.S.-based or have significant U.S. operations. This is evident from the high number of `.com` domains associated with American companies and the presence of `.gov` domains. * Major financial centers like New York and tech hubs in California are implicitly represented (e.g., `aresmgmt.com`, `kkr.com`, `a16z.com`, `morganstanley.com`).
* *Canada:* A strong presence, particularly Scotiabank and its various divisions, along with other financial and tech firms. * Examples: `scotiabank.com`, `scotiabank.ca` (implied), `cibc.com`, `bitbuy.ca`, `wonder.fi`
* *United Kingdom:* Well-represented in finance (banking, brokerage, asset management) and commodities. London's role as a global financial hub is evident. * Examples: `cantor.co.uk`, `pvm.co.uk`, `ubauk.com`, `hbluk.com`, `rmb.co.uk`, `amcgroup.com`
* *Latin America:* Several domains indicate operations or focus in this region, with Scotiabank having a particularly strong showing. * *Mexico:* `scotiabank.com.mx`, `scotiacb.com.mx`, `scotiawealth.com.mx` * *Chile:* `scotiabank.cl`, `larrainvial.com` * *Peru:* `scotiabank.com.pe` * *Colombia:* `scotiabankcolpatria.com` * *Brazil:* `br.scotiabank.com`, `petrobras.com.br`, `bradescobank.com`, `itaubba.eu` (European arm of Brazilian bank) * *Panama:* `pa.scotiabank.com`
* *Europe (excluding UK):* * *France:* `totalenergies.com`, `ardian.com`, `mbcfrance.com` * *Switzerland:* `seba.swiss` / `aminagroup.com`, `hnwag.com`, `itau.ch` * *Monaco:* `tyruscap.mc` * *Netherlands:* `apg-am.com` * Other European presences through global firms (e.g., `itaubba.eu`).
* *Asia:* Highlighting its role as a financial hub. * *Hong Kong:* `apg-am.hk` * *Singapore:* `apg-am.sg`, `gfigroup.com.sg`, `icap.com.sg`, `sg.pimco.com`, `traditionasia.com` * *Japan:* `mitsui.com`, `tullettprebon.co.jp`, `smbcgroup.com` * *Israel:* `dbank.co.il`, `fibi.co.il`, `opco.co.il`, `nice.com` * *Indonesia:* `miraeasset.co.id`
* *Middle East:* * *UAE:* `freightinvestor.ae`, `aramcotrading.us` (US trading arm of Saudi Aramco) * General presence of firms like Alpha Wave Global with strong ties to the region.
* *Africa:* * *South Africa:* `standardbank.co.za`
* *Global:* Many firms operate globally, even if headquartered in a specific country (e.g., `a16z.com`, `kkr.com`, `morganstanley.com`).
### III. Notable Trends & Observations
* *Dominance of Financial Services:* The sheer volume of financial sector domains underscores its significant role in this context. * *Globalization of Finance:* Many financial institutions have multiple country-specific domains (e.g., Scotiabank, PIMCO, ICAP/TP ICAP), reflecting international operations. * *Rise of Digital Assets:* Numerous cryptocurrency exchanges, traders, and VCs focused on Web3 indicate the growing institutionalization of this asset class. * *Concentration of Energy Trading:* A significant number of specialized energy and commodity trading firms are present. * *Venture Capital Focus on Technology:* Many VC firms listed are known for investments in technology and, increasingly, blockchain/crypto. * *Government Presence:* Inclusion of U.S. federal and local government domains suggests interactions with these regulatory or administrative bodies. * *Prevalence of `.com`:* Despite geographical diversity, `.com` remains the most common top-level domain. * *Personal Email Addresses (`gmail.com`):* The presence of a few Gmail addresses (6 emails) is minor but indicates not all communications are necessarily from official corporate domains.
---