Who Hacked France? The Tchap Breach and the Shadow World of Hacker Groups

The mysterious 'misere' attack on France's sovereign messaging platform opens a window onto the complex, murky, and increasingly dangerous world of state actors, criminal gangs, and lone wolves who target governments

June 16, 2026

On the morning of June 8, 2026, France's interministerial digital directorate DINUM published a terse announcement: its sovereign government messaging platform, Tchap, had been breached the previous day. More than 73,000 civil servants had personal data exposed. Almost simultaneously, a threat actor nobody had ever heard of — calling itself 'misere' — stepped forward to claim responsibility, alleging it had walked away with 13.5 gigabytes of data: 643,459 messages, 876 chat rooms, nearly 60,000 media files, and around 90 documents marked Diffusion Restreinte — France's restricted-distribution classification.

The name misere means nothing in the threat intelligence community. No prior campaigns, no affiliated infrastructure, no known associates. And yet here was a previously invisible actor allegedly breaching the sovereign communications backbone of one of Europe's most powerful nations — a platform that Prime Minister François Bayrou had mandated for all French civil servants less than a year earlier, specifically to reduce dependence on foreign applications like WhatsApp and Signal.

Who is misere? What does the breach reveal about the current threat landscape? And how does it fit into the broader ecosystem of hacker groups that have made government institutions their primary target? The answers are less comfortable than the questions.

What Happened to Tchap

Tchap is not a consumer application. It is France's attempt at digital sovereignty in communications — a government-built fork of the open-source Matrix/Synapse protocol, available only to holders of .gouv or equivalent government email addresses, and mandated across all French ministries since September 2025. With more than 825,000 registered civil servants and 300,000 monthly active users, it is the backbone of inter-ministerial communication in the French state.

The breach was not a sophisticated technical exploit. France's national cybersecurity agency ANSSI detected the breach on June 7, 2026, after a valid user account was hijacked through social engineering. The attacker did not crack encryption or penetrate firewalls. They convinced a human being — reportedly someone connected to Tchap's education environment — to hand over credentials, then used that legitimate account to move freely through the platform.

The platform operates across multiple shards, one per ministry group, and supports end-to-end encryption for private conversations, though public chat rooms are not encrypted. This architectural distinction matters enormously: a single compromised account, without exploiting any software vulnerability, was sufficient to harvest enormous quantities of data from unencrypted public rooms that are, by design, open to all authenticated users.

The gap between official and claimed versions of events is striking. French authorities described the damage narrowly, but the attacker claimed access to roughly 73,000 state agents' data, 643,000 messages, almost 60,000 files totalling some 13.5 gigabytes, hundreds of chat rooms, and around 90 items referencing 'Diffusion Restreinte' documents spanning June 2023 to June 2026. Those figures have not been verified by ANSSI or DINUM. But the divergence between the two accounts is itself telling.

The data exposed — names, email addresses, affiliated government entity, and avatars — is a precisely calibrated input for what comes next: targeted spear-phishing campaigns against the ministries whose employees now have their identities, departments, and contact details in an unknown actor's hands.

The Identity Question: Who Is Misere?

The honest answer is that nobody knows. And that uncertainty is, in itself, informative.

Ilia Kolochenko, CEO and founder of cybersecurity firm ImmuniWeb, dismisses the idea that misere is a major state actor doing a casual job. "This is too small for large power intelligence agencies to bother with," he said. Russia, China, and the United States all have the capability to conduct far more consequential operations than stealing 13.5GB from a government chat platform. They also have strong reasons not to expose themselves for marginal gain.

But Kolochenko raises a more unsettling possibility: the name misere may be entirely disposable. "Sometimes a hacker or group wants to protect a reputation for doing more meaningful hacks and adopts a 'burner' identity," he noted. "Sometimes one group will impersonate another group that might be considered a rival or affiliated with a different adversarial nation." The fact that the name is unknown does not mean the actor is unknown. It may mean the actor is well known — and chose not to be identified.

What makes this breach conceptually significant is what Kolochenko describes as a fundamental shift in how sophisticated actors now operate. "Since 2024," he said, "state actors tend to infiltrate and lay low. What is alarming now is a new trend with state actors breaching critical national infrastructure and its suppliers silently. They just backdoor everything to get control of a nation's infrastructure. They just go deeper and deeper and deeper." In that context, a noisy, publicly claimed, relatively small breach — a burner identity, a claimed haul, a quick claim on a dark web forum — is exactly what a distraction looks like.

The Landscape They Operate In: A Guide to Today's Threat Actors

To understand misere — whoever it is — you have to understand the ecosystem it has entered. The world of hacker groups in 2026 is neither monolithic nor random. It is a stratified environment of state-backed APTs (Advanced Persistent Threat groups), financially motivated criminal gangs, and ideologically driven collectives, each with distinct methods, targets, and risk tolerances.

Nation-State APTs: Patient, Deep, and Invisible

The most dangerous actors are the ones you never hear about — because they succeed by never being found. The top APT groups that dominated 2025 were Salt Typhoon, Flax Typhoon, Mustang Panda, APT28, APT29, Sandworm, Lazarus, Kimsuky, and APT42, with PRC-aligned activity leading in global intrusion volume, targeting telecom and government networks for sustained intelligence collection.

Volt Typhoon (China) has become the defining example of what cyberwar preparation actually looks like. Volt Typhoon and APT29 prioritize long-term, stealthy pre-positioning in critical infrastructure and government environments, relying on living-off-the-land techniques and credential abuse to maintain access. Their goal is strategic disruption or intelligence collection rather than immediate financial gain. The objective is not to cause damage today, but to have the keys to cause catastrophic damage tomorrow — on the day a kinetic conflict begins.

Sandworm (Russia / APT44) takes a more aggressive posture. Russia's Sandworm escalated cross-border attacks by deploying new wiper malware, including ZEROLOT, against energy and logistics infrastructure in 2025. Sandworm has been linked to grid attacks in Ukraine, the NotPetya malware that caused an estimated $10 billion in global damage, and a sustained campaign against European military and logistics targets since the invasion of Ukraine.

APT28 (Fancy Bear) and APT29 (Cozy Bear) — both Russian — specialize in political and diplomatic targets. APT29 was behind the SolarWinds supply chain compromise that penetrated the US Treasury, State Department, and dozens of private firms for months without detection. Both groups have targeted French institutions before; APT28 was linked to interference in the 2017 French presidential election.

The intersection with the Tchap breach is uncomfortable: for a service whose entire pitch is that the state can be trusted to run its own secure communications, even a contained breach is an awkward dent. A loud, unverified hacker claim on top of it is exactly the kind of story that sovereignty sceptics — and France's rivals — will be watching.

Lazarus Group (North Korea): The Wealthiest Criminals in History

If state APTs are characterized by patience, Lazarus Group is characterized by audacity. Lazarus is likely to intensify supply-chain and living-off-the-land tradecraft, pairing sophisticated social engineering with newly discovered vulnerabilities. Given North Korea's record ~$2.02 billion in cryptocurrency theft in 2025, the group will likely pursue larger, high-value intrusions in 2026 spanning both theft and espionage.

The group's most spectacular 2025 operation targeted Bybit, one of the world's largest cryptocurrency exchanges. Lazarus stole approximately $1.5 billion in Ethereum — the single largest theft in the history of cryptocurrency — executed not through a vulnerability in Bybit's own systems but through a compromise of Safe{Wallet}, the third-party multi-signature wallet infrastructure Bybit used to manage cold storage transfers. The method was characteristic Lazarus: identify the trusted third party, compromise the supply chain, wait for the target to execute a routine transaction, and redirect it.

For North Korea, hacking is not merely espionage. It is a primary revenue source for a sanctions-strangled economy and a nuclear weapons programme.

ShinyHunters: The Relentless Data Pirates

If Lazarus represents the strategic apex of financially motivated hacking, ShinyHunters represents its most prolific practitioner. Major 2026 victims include Telus (700 terabytes of data claimed stolen), Under Armour (72 million accounts), and Match Group dating platforms.

In April 2026, ShinyHunters claimed responsibility for a major breach of Adobe's systems, exposing 13 million customer support tickets, 15,000 employee records, internal company documents, and submissions from Adobe's bug bounty program — accessed via a third-party entry point through AppsFlyer, a marketing analytics partner, making it the most significant enterprise software supply chain breach of 2026 so far.

ShinyHunters' preferred entry vectors are third-party platforms — OAuth tokens, marketing integrations, customer service platforms — rather than direct attacks on hardened core systems. TransUnion and Air France-KLM also fell victim to breaches traced to the ShinyHunters hacking group, which exploited third-party platforms like Salesforce and Drift using social engineering techniques.

Scattered Spider: The Social Engineering Specialists

Scattered Spider — now sometimes operating under the "Scattered Lapsus$ Hunters" umbrella in collaboration with ShinyHunters and Lapsus$ — has become the definitive example of social engineering elevated to an art form. The group's defining characteristic is not technical sophistication but human manipulation: calling IT helpdesks, impersonating employees, convincing support staff to reset credentials or bypass multi-factor authentication.

The group's 2025 victims spanned multiple continents and industries, including the leak of personal information belonging to 5.7 million Qantas customers after a ransom deadline expired, stemming from a compromise of a Salesforce-hosted customer service platform.

The Tchap breach pattern — a single hijacked account, accessed via social engineering of an education-environment user, used to harvest hundreds of thousands of messages from unencrypted public rooms — is methodologically consistent with what Scattered Spider and its affiliates do. That does not mean they did it. But it illustrates that the techniques used by misere are not those of a lone, amateur actor.

The Tchap Architecture Problem: Sovereignty vs. Security

One of the most important lessons of the Tchap breach transcends attribution. This incident underscores a critical architectural risk in government collaboration platforms: public rooms on Matrix-based deployments are inherently exposed to any authenticated user, meaning that a single social-engineered account, without exploiting any software vulnerability, was sufficient to harvest enormous quantities of sensitive data.

France made Tchap mandatory precisely to escape the perceived surveillance risk of foreign platforms. The irony is that its architecture — combining encrypted private chats with completely unencrypted public rooms accessible to all 825,000 registered users — created a different kind of vulnerability. Any one of those 825,000 accounts, if compromised, becomes a master key to every public conversation on the platform.

The directive that drove civil servants from WhatsApp and Signal to Tchap was about sovereignty. But sovereignty over infrastructure is not the same as security. A government-built platform with an architectural weakness is more dangerous than a commercial foreign platform with strong encryption, not less.

What Comes Next

The 73,467 names, email addresses, and ministry affiliations now in misere's possession — verified or not — are not the end of this story. They are the beginning of the next one.

As Kolochenko observed, this combination of identity and institutional affiliation is "a treasure trove for subsequent targeted spear-phishing." The civil servants of the Ministries of Defence, Interior, Foreign Affairs, and Finance — all Tchap users — are now identifiable, contactable, and targetable by whoever actually holds this data.

Whether misere was a criminal gang looking to monetise access, a state actor running a false-flag operation, or a genuinely unknown independent actor looking for notoriety, the downstream risk is the same. The data will be used — either sold, weaponised, or traded — and the French government knows it.

Kolochenko's summary of the current threat environment is blunt: "In today's cloud and AI world, you don't need to steal cookies with infostealers. You don't need zero days. You just send a legitimate request to an API, and you'll get all the records of a governmental institution or a private company, and everything will be on your hard drive within several hours."

The Tchap breach is a reminder that in cybersecurity, the most dangerous vulnerabilities are not the ones in code. They are the ones in people.

Sources: SecurityWeek, Help Net Security, The Next Web, The Register, CyberPress, TEISS, CloudSEK, Netlas, Infosecurity Magazine, Cloudskope