[
- Special envoy Steve Witkoff was one of more than a dozen Trump administration members in a Signal group chat discussing sensitive information that inadvertently included Atlantic editor-in-chief Jeffrey Goldberg. While the text stream was active, Witkoff was in Russia meeting with President Vladimir Putin, according to flight data, CBS reported.
The location of a senior member of the Trump administration involved in a Signal group chat that inadvertently shared secret attack plans with a reporter has further raised concerns about a potential national security nightmare.
President Donald Trump’s Ukraine and Middle East envoy Steve Witkoff was in Moscow, Russia, while the group chat was active, CBS reported, citing data from flight tracking website FlightRadar24. Witkoff was to meet with Russian President Vladimir Putin and a handful of other Russian officials during his trip from March 13 to 14.
Witkoff was one of about a dozen officials in the Trump administration active in a Signal group chat called “Houthi PC small group”—which also included The Atlantic editor-in-chief Jeffrey Goldberg—that appeared to share sensitive information about the U.S.’s plan to bomb Houthi targets in Yemen, The Atlantic reported. The U.S. government has explicitly eschewed the use of Signal for sharing classified information, warning of Russian hacking attempts and security lags.
A real estate attorney-turned special envoy, Witkoff has lauded Putin as a “great” leader and has met with the Russian president to discuss ending Russia’s three-year war with Ukraine.
Witkoff’s time in Russia appears to intersect with the disclosure of highly sensitive information in the group chat. According to flight tracking information, Witkoff arrived in Moscow on March 13 around noon, CBS reported. He met with Putin until about 1:30 a.m. local time the next day, according to a Telegram post by former Putin adviser Sergei Markov. The Atlantic reported CIA director John Ratcliffe disclosed the name of an active CIA officer in the text stream at around 5:24 p.m. ET, or about midnight in Russia.
According to a transcript of the texts shared by The Atlantic, Witkoff did not participate in the chat until after the attack, when he commented two prayer-hands emojis, a flexing-arm emoji, and two American-flag emojis in response to texts about the strikes hitting the intended targets.
White House press secretary Karoline Leavitt said in a social media post Witkoff was “provided a secure line of communication by the U.S. Government, and it was the only phone he had in his possession while in Moscow.” In a press briefing on Wednesday, Leavitt said Witkoff had neither a personal nor government-issued phone on him and instead was given a device with a “classified protected server by the United States government, and he was very careful about his communications when he was in Russia.”
The White House did not respond to Fortune’s request for comment, though National Security Council spokesperson Brian Hughes told The Atlantic the Signal group “appears to be an authentic message chain” and is reviewing how Goldberg was added to the chain.
U.S. warns of Russian security threat
Despite the administration working with the Kremlin, the Pentagon has been clear in its cybersecurity concerns regarding Russia, issuing a memo on March 18, warning against using Signal because a “vulnerability has been identified” in the app, NPR reported. The memo was released days after the U.S.’s attack and about a week before Goldberg’s presence in the group chat was made public.
“Russian professional hacking groups are employing the ‘linked devices’ features to spy on encrypted conversations,” the memo said.
“Please note: third party messaging apps (e.g. Signal) are permitted by policy for unclassified accountability/recall exercises but are NOT approved to process or store nonpublic unclassified information,” it continued.
The memo is a reiteration of a previously established policy of the U.S. government. In 2023, the Department of Defense issued a memo classifying “unmanaged” messaging apps, such as Signal and WhatsApp, saying they are “NOT authorized to access, transmit, or process non-public DoD information.”
The group also used a Signal feature that would disappear messages after a week, The Atlantic reported, which some experts said violated public record laws. A former government security leader, who wished to remain anonymous, previously told Fortune all officials in the group chat would be legally required to preserve records of their communications, and no official could determine if their messages did or didn’t apply to public record laws.
Security shortcomings
Despite the Defense Department calling Signal as a vulnerable messaging platform, the real security risk comes not from the app, but from one’s phone, according to one cybersecurity expert.
“Signal is one of the best apps out there for end-to-end encryption and for communication,” V.S. Subrahmanian, professor of computer science at Northwestern University and head of its AI and security laboratory, told Fortune. “But phones are not.”
The Pentagon likely called out Signal specifically because of its popularity, Subrahmanian said, which could make it a bigger target for malware, but there are safety risks for every app downloaded on a personal device. When an app is downloaded, it may be benign, but then automatically updated with malware. Similarly, malware on a personal phone could grab content from whatever is on an individual’s screen, even if they’re using an encrypted app. Instead, one way to mitigate risks is to issue phones to personnel with a limited number of apps that have been thoroughly vetted.
Traveling with sensitive information on one’s phone compounds the security risk. When anyone travels, they run the risk of installing malware on their device by plugging it into an outlet. While a cord can charge a device, it can also transfer data, Subrahmanian explained.
“There’s a well-known class of attacks called ‘juice jacking’ that can use that cord,” Subrahmanian said. “If it can carry data, it can carry software as well, including malware.”
Subrahmanian shied away from calling the consequences of the leaked messages catastrophic, but was clear that the messaging app was not to blame for the security slip.
“It’s not a failure of Signal or Signal technology,” he said. “It’s just human error.”
This story was originally featured on Fortune.com
https://fortune.com/img-assets/wp-content/uploads/2025/03/GettyImages-2205277469-e1743011727484.jpg?resize=1200,600 https://fortune.com/2025/03/26/trump-aide-steve-witkoff-russia-signal-group-chat-atlantic/Sasha Rogelberg
