French Government Messaging Platform Breached by Mysterious ‘Misere’ Hacker

Von Kevin Townsend für SecurityWeek
Monday, June 15, 2026

• 177
• Mehr

So, we’re left with a conundrum. An official announcement states the breach occurred (not was discovered but occurred) on June 7 and was limited to 9% of the users. Classic, but not inaccurate, downplaying. But almost immediately, an unknown threat actor agrees with the number of affected accounts but claims theft of 13.5GB of actual data. We cannot verify this latter detail since we only have reports of a report – but if we assume accuracy and honesty, is it realistic to believe that this amount of data can be gathered and exfiltrated in a single day by an otherwise unknown threat actor?

For additional insights into the cause and effect, we talked to Ilia Kolochenko, a qualified attorney, and CEO, founder and chief architect at ImmuniWeb. ImmuniWeb operates a dark web monitoring and threat intelligence service for its clients and sees thousands of different incidents daily.

Could misere be a pseudonym adopted by a state actor for this small and relatively innocuous breach – for example, Russia embarrassing France over its pro Ukraine position; or the US doing the same for its anti-Iran war position? Kolochenko doesn’t think so, “Because it’s a little trivial. This is too small for large power intelligence agencies to bother with.”

Before 2024, he had seen state actors compromise systems and rapidly act on the compromise. “But since 2024,” he continued, “state actors tend to infiltrate and lay low. What is alarming now is a new trend with state actors breaching critical national infrastructure and its suppliers silently. They just backdoor everything to get control of a nation’s infrastructure. They just go deeper and deeper and deeper, trying to get access to as many critical systems as possible.” The motivation is to pre-position with the ability to bring down multiple if not all the critical industries in an enemy nation simultaneously. This is cyberwar in preparation for or defense against a possible kinetic war.

Nor does he think that the suggestion that the breach was an account take-over event is informative. It could be as simple as a hacker getting the credentials from stealer logs; but if it were an advanced hacker, that would not be necessary. “In today’s cloud and AI world, you don’t need to steal cookies with infostealers. You don’t need zero days. You just send a legitimate request to an API, and you’ll get all the records of a governmental institution or a private company, and everything will be on your hard drive within several hours.”

Such an hypothesis could explain how misere could exfiltrate 3.5GB on the same day as the breach was discovered.

Does the name misere give any clue to the actor or motivation? Again, no.

“The name given to this actor is meaningless,” suggested Kolochenko. “Sometimes a hacker or group wants to protect a reputation for doing more meaningful hacks and adopts a ‘burner’ identity. Sometimes one group will impersonate another group that might be considered a rival or affiliated with a different adversarial nation.” The fact that the name is unknown does not mean that the actor is unknown.

Overall, this attack by an unknown hacker against a secure government chat system does not present itself as an APT attack. But that could even be the purpose. After all, it involves 70,000 government employees. DINUM specifies in its breach disclosure announcement, “The potentially exposed user account data includes, at a minimum: first and last name, email address, affiliated entity, and avatar.” The affiliated entity would expose which government department is involved, the email address is provided, and Misere further claimed to have scraped 640,000 (plaintext) chat messages.

This combination would be a treasure trove for subsequent targeted spear-phishing, valuable to both financially motivated cyber gangs and state actors ultimately targeting not Tchap but the ministries employing the Tchap users. Read Full Article