FlagThis - #hacking

A hacker has successfully breached TeleMessage, an Israeli company that provides modified versions of secure messaging apps such as Signal, WhatsApp and Telegram to the U.S. government. The breach resulted in the exfiltration of sensitive data, including archived messages from these modified apps. TeleMessage has suspended all services and is currently investigating the incident. The breach highlights the vulnerabilities associated with modifying secure messaging applications, especially concerning the preservation of end-to-end encryption.

The compromised data includes the contents of direct messages and group chats, as well as contact information for government officials. 404 Media reported that the hack exposed data related to U.S. Customs and Border Protection (CBP), the cryptocurrency exchange Coinbase, and several other financial institutions. The hacker claimed the entire process of accessing TeleMessage’s systems took only 15-20 minutes, underscoring the ease with which the security was circumvented. Despite the breach, there are reports that messages from top US government officials and cabinet members were not compromised.

TeleMessage, which was recently in the spotlight after former U.S. National Security Advisor Mike Waltz was seen using their modified version of Signal, offers archiving services for messages. However, the hack revealed that the archived chat logs were not end-to-end encrypted between the modified app and the ultimate archive destination controlled by the TeleMessage customer. Smarsh, the parent company of TeleMessage, has engaged an external cybersecurity firm to support the investigation and has temporarily suspended all TeleMessage services as a precaution. A Coinbase spokesperson stated that the company is closely monitoring the situation, but has not found any evidence of sensitive customer information being accessed or accounts being at risk.


References :

• securityaffairs.com: SecurityAffairs: A hacker stole data from TeleMessage, the firm that sells modified versions of Signal to the U.S. gov
• Talkback Resources: A hacker stole data from TeleMessage, the firm that sells modified versions of Signal to the U.S. gov [app]
• www.techradar.com: TeleMessage, the Signal-esque app used by the Trump administration, has been hacked
• www.metacurity.com: A hacker stole content from the Telemessage system used by the US government
• TechCrunch: TeleMessage, a modified Signal clone used by US govt. officials, has been hacked
• The DefendOps Diaries: TeleMessage Breach: Unveiling the Risks of Modified Secure Messaging Apps
• techcrunch.com: TeleMessage, a modified Signal clone used by US government officials, has been hacked
• Risky Business Media: Trump admin’s Signal clone gets hacked, messages exposed
• The Register - Security: Signal chat app clone used by Signalgate's Waltz was apparently an insecure mess
• siliconangle.com: The security of U.S. government officials’ communications has come under the spotlight again after a modified Signal app used to archive data from third-party messaging apps was hacked in less than 30 minutes.
• WIRED: Signal Clone Used by Mike Waltz Pauses Service After Reports It Got Hacked
• CyberInsider: Signal Clone App Used by Trump Officials Breached in Minutes
• Metacurity: Criminal scam network run by Darcula exposed by journalists, DragonForce takes credit for Co-op attack, NoName attacked Romanian gov't websites on election day, US indicts Black Kingdom ransomware dev, Trump wants to slash nearly $500m from CISA, Qilin claims Cobb Co. attack, much more
• arstechnica.com: TeleMessage, a company that provides modified versions of Signal for message archiving, has suspended its services after a reported hack, exposing communications from U.S. government officials.
• hackread.com: TM SGNL, a chat app by US-Israeli firm TeleMessage used by Trump officials, halts operations after a breach…
• www.404media.co: A hacker has exploited a vulnerability in TeleMessage, a company that provides modified versions of encrypted messaging apps, to extract archived messages and data related to U.S. government officials and companies that used the service, according to a report by 404 Media.
• www.csoonline.com: The Israeli company behind the obscure messaging app former US national security advisor Mike Waltz was photographed using on his iPhone last week was recently hacked, it has been alleged.
• Metacurity: You ask yourself how the Trump administration's insane messing around with the Signal app and its clones could get any worse, and then the universe tells you how. The Signal Clone the Trump Admin Uses Was Hacked
• Dropsafe: US Gov’t Signal-clone with backdoor for message retention, hacked, messages leaked | …I really hope #Ofcom are watching re: the impact of proposed client side scanning
• BleepingComputer: Unofficial Signal app used by Trump officials investigates hack
• arstechnica.com: Signal clone used by Trump official stops operations after report it was hacked
• securityaffairs.com: A hacker stole data from TeleMessage, the firm that sells modified versions of Signal to the U.S. gov
• go.theregister.com: Signal chat app clone used by Signalgate's Waltz was apparently an insecure mess
• iHLS: Israeli Encrypted Messaging Archiving Platform Used by U.S. Officials Compromised in Cyberattack
• www.insicurezzadigitale.com: Clonazione di Signal: sospesa dopo hacking un’app utilizzata da un ex funzionario dell’amministrazione Trump
• bsky.app: TeleMessage, the Signal clone used by US government officials, suffers hack
• Privacy ? Graham Cluley: TeleMessage, the Signal clone used by US government officials, suffers hack
• WIRED: The Signal clone Mike Waltz Was Caught Using Has Direct Access to User Chats
• www.wired.com: Signal Clone Used by Mike Waltz Pauses Service After Reports It Got Hacked
• WIRED: Customs and Border Protection Confirms Its Use of Hacked Signal Clone TeleMessage
• Metacurity: TeleMessage suspends service following reported hack

Classification:

• HashTags: #DataBreach #TeleMessage #Signal
• Company: TeleMessage
• Target: TeleMessage, U.S. Government
• Product: TeleMessage
• Feature: Data Theft
• Type: DataBreach
• Severity: Medium

A new AI platform called Xanthorox AI has emerged in the cybercrime landscape, advertised as a full-spectrum hacking assistant and is circulating within cybercrime communities on darknet forums and encrypted channels. First spotted in late Q1 2025, this tool is marketed as the "killer of WormGPT and all EvilGPT variants," suggesting its creators intend to supplant earlier malicious AI models. Unlike previous malicious AI tools, Xanthorox AI boasts an independent, multi-model framework, operating on private servers and avoiding reliance on public cloud infrastructure or APIs, making it more difficult to trace and shut down.

Xanthorox AI provides a modular GenAI platform for offensive cyberattacks, offering a one-stop shop for developing a range of cybercriminal operations. This darknet-exclusive tool uses five custom models to launch advanced, autonomous cyberattacks, marking a new era in AI-driven threats. The toolkit includes Xanthorox Coder for automating code creation, script development, malware generation, and vulnerability exploitation. Xanthorox Vision adds visual intelligence by analyzing uploaded images or screenshots to extract data, while Reasoner Advanced mimics human logic to generate convincing social engineering outputs.

Furthermore, Xanthorox AI supports voice-based interaction through real-time calls and asynchronous messaging, enabling hands-free command and control. The platform emphasizes data containment and operates offline, ensuring users can avoid third-party AI telemetry risks. SlashNext refers to it as “the next evolution of black-hat AI” because Xanthorox is not based on existing AI platforms like GPT. Instead, it uses five separate AI models, and everything runs on private servers controlled by the creators, meaning it has few ways for defenders to track or shut it down.


References :

• cybersecuritynews.com: New Black-Hat Automated Hacking Tool Xanthorox AI Advertised in Hacker Forums
• hackread.com: Xanthorox AI Surfaces on Dark Web as Full Spectrum Hacking Assistant
• slashnext.com: Xanthorox AI – The Next Generation of Malicious AI Threats Emerges
• www.esecurityplanet.com: Xanthorox AI, a darknet-exclusive tool, uses five custom models to launch advanced, autonomous cyberattacks, ushering in a new AI threat era.
• Cyber Security News: New Black-Hat Automated Hacking Tool Xanthorox AI Advertised in Hacker Forums
• SlashNext: Xanthorox AI – The Next Generation of Malicious AI Threats Emerges
• eSecurity Planet: Xanthorox AI: A New Breed of Malicious AI Threat Hits the Darknet
• www.scworld.com: AI tool claims advanced capabilities for criminals without jailbreaks

Classification:

• HashTags: #blackhatAI #cybercrime #hackingtool
• Company: Xanthorox
• Target: Enterprise Organizations
• Attacker: Xanthorox AI
• Product: Xanthorox AI
• Feature: AI platform
• Malware: Xanthorox AI
• Type: AI
• Severity: HighRisk

The U.S. Justice Department has indicted 12 Chinese nationals for their alleged involvement in state-linked cyber operations. The individuals include employees of the Chinese technology firm i-Soon, members of the APT27 group (also known as Emissary Panda, TG-3390, Bronze Union, and Lucky Mouse), and two officers from China's Ministry of Public Security. These indictments shed light on the hacking tools and methods allegedly employed in a global hacking scandal. The Justice Department stated that the Ministry of State Security (MSS) and Ministry of Public Security (MPS) utilized an extensive network of private companies, including i-Soon, to conduct unauthorized computer intrusions in the U.S. and elsewhere.

The U.S. DoJ charges these individuals with data theft and suppressing dissent worldwide. i-Soon, identified as one of the private companies involved, allegedly provided tools and methods to customers and hacked for the PRC (People's Republic of China). These actions highlight a significant cybersecurity concern involving state-sponsored actors and their use of private firms to conduct cyber espionage.


References :

• bsky.app: US Justice Department has charged Chinese state security officers and APT27 and i-Soon Chinese hackers linked to network breaches and cyberattacks targeting victims worldwide since 2011.
• CyberInsider: U.S. Charges 12 Chinese Nationals Over Decade-Long Cyber Espionage Campaign
• The Cyber Express: The United States Department of Justice (DOJ) has taken action against a major cyber threat, opening indictments against 12 Chinese nationals, including two officers from China’s Ministry of Public Security (MPS) and several employees of the Chinese technology firm i-Soon.
• bsky.app: USA accuses China's State of operating network of "hackers for hire". Accused 12 individuals, 2 officers of the PRC Ministry of Public Security (MPS), employees of a private company, Anxun Information Technology Co. Ltd, and members of APT27.
• The Hacker News: U.S. Charges 12 Chinese Nationals in State-Backed Hacking Operations
• securityaffairs.com: US DOJ charges 12 Chinese nationals for state-linked cyber operations
• The Register - Security: Xi's freelance infosec warriors apparently paid up to $75K to crack a single American inbox US government agencies announced Wednesday criminal charges against alleged members of China's Silk Typhoon gang, plus internet domain seizures linked to a long-term Chinese espionage campaign that saw Beijing hire miscreants to compromise US government agencies and other major orgs.…
• DataBreaches.Net: U.S. Charges 12 Chinese Contract Hackers and Law Enforcement Officers in Global Computer Intrusion Campaigns
• bsky.app: The US Justice Department has charged Chinese state security officers and APT27 and i-Soon Chinese hackers linked to network breaches and cyberattacks targeting victims worldwide since 2011.
• cyble.com: U.S. Indictments Shed Light on i-Soon Hacking Tools, Methods
• Metacurity: US indicts twelve prolific Chinese hackers, including eight i-Soon staffers
• Carly Page: The Department of Justice has announced criminal charges against 12 Chinese government-linked hackers who are accused of hacking over 100 American organizations, including the U.S. Treasury, over the course of a decade
• Threats | CyberScoop: US indicts 12 Chinese nationals for vast espionage attack spree
• BleepingComputer: The U.S. Justice Department has charged Chinese state security officers along with APT27 and i-Soon hackers for network breaches and cyberattacks that have targeted victims globally since 2011.
• hackread.com: US Charges 12 in Chinese Hacker-for-Hire Network, Offers $10M Reward
• Risky Business Media: US indicts the i-Soon and APT27 hackers, the BADBOX botnet gets disrupted again,authorities seize the Garantex crypto exchange, and the FBI arrests hackers who stole Taylor Swift concert tickets.
• Security | TechRepublic: The article discusses the charges against Chinese hackers for their role in a global cyberespionage campaign.
• techxplore.com: US indicts 12 Chinese nationals in hacking
• : US Charges Members of Chinese Hacker-for-Hire Group i-Soon
• Matthias Schulze: U.S. Charges 12 Chinese Nationals in State-Backed Hacking Operations
• WIRED: US Charges 12 Alleged Spies in China’s Freewheeling Hacker-for-Hire Ecosystem
• Blog: FieldEffect blog post about U.S. indicts 12 Chinese nationals for cyber espionage.
• blog.knowbe4.com: U.S. Justice Department Charges China’s Hackers-for-Hire Working IT Contractor i-Soon
• Talkback Resources: The article details the indictment of 12 Chinese individuals for hacking activities.
• Schneier on Security: The article discusses the indictment of Chinese hackers for their involvement in global hacking activities.

Classification:

• HashTags: #CyberEspionage #China #iSoon
• Company: i-Soon
• Target: US Government Agencies
• Attacker: i-Soon
• Product: Software
• Feature: Hacking Tools
• Malware: Divine Mathematician Password Cracking Platform
• Type: Hack
• Severity: Major