More 70,000 French government employees had personal details stolen. Why and by whom?
On June 8, 2026, DINUM announced that the official French government chat service (Tchap) had been breached on June 7. At the same time, a threat actor calling itself ‘misere’ claimed responsibility.
DINUM is the French government’s interministerial digital directorate in charge of Tchap.
Tchap is a ‘secure’ sovereign instant messaging service for French government employees designed to combine the principle of data sovereignty with increased security over third-party foreign systems. It includes secure chat rooms that are end-to-end encrypted, and ‘public’ chat rooms that are not encrypted.
Misere is… unknown. There is no public record of a threat actor known as ‘misere’.
DINUM says the system was compromised following account hijacking, and states, “Of the more than 825,000 registered agents, 73,467 are reportedly affected by this incident, representing less than 9% of registered users.”
Misere supposedly claimed almost precisely the same: theft of more than 70k accounts (aligning with DINUM’s statement); but added that it stole 13.5GB of files across more than 643,000 messages. However, we cannot verify misere’s claim because it was reported rather than published by the OSINT FrenchBreaches community, and the original misere claim is not or no longer available on the internet.
So, we’re left with a conundrum. An official announcement states the breach occurred (not was discovered but occurred) on June 7 and was limited to 9% of the users. Classic, but not inaccurate, downplaying. But almost immediately, an unknown threat actor agrees with the number of affected accounts but claims theft of 13.5GB of actual data. We cannot verify this latter detail since we only have reports of a report – but if we assume accuracy and honesty, is it realistic to believe that this amount of data can be gathered and exfiltrated in a single day by an otherwise unknown threat actor?
For additional insights into the cause and effect, we talked to Ilia Kolochenko, a qualified attorney, and CEO, founder and chief architect at ImmuniWeb. ImmuniWeb operates a dark web monitoring and threat intelligence service for its clients and sees thousands of different incidents daily.
Could misere be a pseudonym adopted by a state actor for this small and relatively innocuous breach – for example, Russia embarrassing France over its pro Ukraine position; or the US doing the same for its anti-Iran war position? Kolochenko doesn’t think so, “Because it’s a little trivial. This is too small for large power intelligence agencies to bother with.”
Before 2024, he had seen state actors compromise systems and rapidly act on the compromise. “But since 2024,” he continued, “state actors tend to infiltrate and lay low. What is alarming now is a new trend with state actors breaching critical national infrastructure and its suppliers silently. They just backdoor everything to get control of a nation’s infrastructure. They just go deeper and deeper and deeper, trying to get access to as many critical systems as possible.” The motivation is to pre-position with the ability to bring down multiple if not all the critical industries in an enemy nation simultaneously. This is cyberwar in preparation for or defense against a possible kinetic war.
Nor does he think that the suggestion that the breach was an account take-over event is informative. It could be as simple as a hacker getting the credentials from stealer logs; but if it were an advanced hacker, that would not be necessary. “In today’s cloud and AI world, you don’t need to steal cookies with infostealers. You don’t need zero days. You just send a legitimate request to an API, and you’ll get all the records of a governmental institution or a private company, and everything will be on your hard drive within several hours.”
Such an hypothesis could explain how misere could exfiltrate 3.5GB on the same day as the breach was discovered.
Does the name misere give any clue to the actor or motivation? Again, no.
“The name given to this actor is meaningless,” suggested Kolochenko. “Sometimes a hacker or group wants to protect a reputation for doing more meaningful hacks and adopts a ‘burner’ identity. Sometimes one group will impersonate another group that might be considered a rival or affiliated with a different adversarial nation.” The fact that the name is unknown does not mean that the actor is unknown.
Overall, this attack by an unknown hacker against a secure government chat system does not present itself as an APT attack. But that could even be the purpose. After all, it involves 70,000 government employees. DINUM specifies in its breach disclosure announcement, “The potentially exposed user account data includes, at a minimum: first and last name, email address, affiliated entity, and avatar.” The affiliated entity would expose which government department is involved, the email address is provided, and Misere further claimed to have scraped 640,000 (plaintext) chat messages.
This combination would be a treasure trove for subsequent targeted spear-phishing, valuable to both financially motivated cyber gangs and state actors ultimately targeting not Tchap but the ministries employing the Tchap users.
But – and this is the point of this discussion – we just don’t know the truth: everything is conjecture. Frankly, trying to understand the cause and motivation behind any cyber incident is based on conjecture with little known truth.
Related: Maine Disables Data Breach Portal Due to Fake Submissions
Related: University of Nottingham Confirms Breach After Hackers Leak Data
Related: 174,000 Impacted by Lansing Community College Data Breach
Related: Nightclub Giant RCI Says Data Breach Affects 40,000 Individuals
