Over 70,000 French government workers had their personal information compromised. What happened, and who was behind it?
On June 8, 2026, France’s interministerial digital directorate (DINUM) disclosed that the government’s official messaging platform, Tchap, had been hacked the previous day, June 7. A threat actor going by the alias ‘**misere**’ quickly stepped forward to take credit for the attack.
DINUM serves as the French government’s cross-departmental digital authority and oversees the Tchap platform.
Tchap is a government-owned, purportedly ‘secure’ instant messaging application built to offer both data sovereignty and stronger protections compared to foreign third-party alternatives. The platform features end-to-end encrypted private channels as well as unencrypted ‘public’ spaces.
Misere, on the other hand, remains a mystery. There is no prior record of any group operating under that identifier.
According to DINUM, the breach stemmed from unauthorized account access. The agency explained, “Out of more than 825,000 holders, approximately 73,467 accounts are believed to be impacted, which accounts for under 9% of all registered users.”
Misere’s claimed figures were strikingly similar — acknowledging the theft of over 70,000 accounts in line with DINUM’s statement — but went further by asserting the attacker had also exfiltrated 13.5GB of data encompassing more than 643,000 individual messages. However, this claim remains unverified; the FrenchBreaches OSINT community reported on the claim rather than sourcing it directly, and the original posting from misere is no longer accessible online.
This leaves us facing a puzzle. The official timeline states the intrusion took place on June 7 and affected fewer than one in ten users — a familiar pattern of minimization, though not necessarily misleading. Yet almost simultaneously, an unknown attacker corroborates the account count while asserting a far larger data haul. Without direct evidence, we can only rely on secondary reporting. But if we take the claims at face value, is it plausible that an unrecognized threat actor could harvest and extract such a massive volume of data within a single day?
For a deeper perspective on the circumstances, we spoke with Ilia Kolochenko, a licensed attorney and the CEO, founder, and chief architect of ImmuniWeb, a firm that provides dark web surveillance and threat intelligence services to its clients and processes thousands of incident reports every day.
Could ‘misere’ be a front for a nation-state seeking humiliation of France — perhaps Russia retaliating over France’s support for Ukraine, or the U.S. sending a signal regarding its opposition to Iran military action? Kolochenko is skeptical: “It’s simply too minor. This wouldn’t warrant the attention of major intelligence establishments.”
Prior to 2024, he had observed state-sponsored groups compromising systems and acting swiftly on that access. “But from 2024 onward,” he noted, “state actors have shifted toward infiltration and patience. What’s particularly concerning now is the emerging pattern of state-affiliated groups penetrating vital national infrastructure and its supply chains in silence. They embed backdoors everywhere to seize operational control over a country’s foundational systems. They push deeper and deeper, seeking access to as many critical networks as they can.” The objective is to pre-position themselves with the capacity to cripple several — or even all — of an adversary’s essential industries at once. This represents cyberwarfare in preparation for, or as a deterrent against, potential conventional military conflict.
He is equally unconvinced that describing the incident as “account hijacking” reveals much about the true nature of the breach. It could be as straightforward as a threat actor sourcing stolen credentials from information-stealing malware logs. But a sophisticated adversary likely wouldn’t need that approach. “Modern platforms, particularly in the age of cloud computing and artificial intelligence, don’t require cookie theft through infostealers. Zero-day exploits aren’t necessary either. Simply by sending a valid API request, you can obtain complete record sets from a government body or private enterprise — the entire dataset ends up on your local drive within just a few hours.”
Such a scenario would account for how misere could have siphoned 13.5GB of data on the very day the breach came to light.
Does the moniker ‘misere’ itself offer any insight into the attacker’s identity or intent? Not really.
“Attributing meaning to the attacker’s chosen name would be speculative,” Kolochenko remarked. “Occasionally, an individual or group wishes to shield their established reputation — particularly if they’ve carried out higher-profile operations — and so they use a disposable alias. In other cases, one faction may fabricate the identity of another, perhaps a rival group or one associated with a different adversarial nation.” The fact that the name doesn’t correspond to any known actor doesn’t necessarily mean the actor itself is unfamiliar.
Taken as a whole, this incident — an unknown actor compromising what was marketed as a secure government messaging platform — doesn’t exhibit the hallmarks of an advanced persistent threat (APT). But that could be precisely the intention. After all, it touches 70,000 government personnel. DINUM’s official notification lists among the potentially compromised data: “full name, email address, organizational affiliation, and profile picture.” The organization detail would reveal which ministry or agency is involved, the emails would be directly exploitable, and Misere’s additional allegation involves scraping over 640,000 unencrypted chat messages.
This mélange of information would be a goldmine for follow-up spear-phishing campaigns — attractive both to profit-driven cybercriminals and to state-sponsored threat actors whose true target is not Tchap itself but the government departments relying on Tchap’s users.
But — and this is the crux — we simply don’t know what really happened. In truth, analyzing the motivation behind any cybersecurity incident is largely an exercise of informed guessing with limited verified fact.
Related: Maine Turns Off Data Breach Reporting Portal Due to Fraudulent Submissions
Related: University of Nottingham Acknowledges Breach After Hackers Publish Stolen Data
Related: 174,000 Individuals Affected by Lansing Community College Data Breach
Related: Entertainment Conglomerate RCI Discloses Breach Impacting 40,000 Individuals
