- The FBI recovered deleted Signal messages from an iPhone by pulling them from Apple’s push notification cache—not by cracking encryption.
- The technique surfaced during a federal terrorism trial tied to a July 2025 attack on an ICE facility in Texas.
- Any messaging app with notification previews enabled leaves the same forensic trail, and a 15-second settings change could have stopped it.
The FBI extracted incoming Signal messages from a defendant’s iPhone even after she’d deleted the app and set messages to auto-delete. The technique didn’t involve breaking Signal’s end-to-end encryption, compromising any server, or exploiting a zero-day vulnerability. It exploited something far more mundane: a notification cache built into iOS that most users don’t know exists.
FBI Special Agent Clark Wiethorn testified about the method on March 10, 2026, during day twelve of a federal terrorism trial in Fort Worth. The case involved nine defendants charged in connection with a July 4, 2025 assault on the ICE Prairieland Detention Facility in Alvarado, Texas, according to detailed court reporting. One defendant, Lynette Sharp, 57, had already pleaded guilty in November 2025 to providing material support to terrorists.
How the FBI Recovered ‘Deleted’ Signal Messages
When you get a Signal message and your phone displays a notification preview on the lock screen, iOS stores a copy of that decrypted text in an internal system database. Specifically, Apple’s BulletinBoard framework—located at /private/var/mobile/Library/BulletinBoard/—caches notification content independently of the originating app. Delete Signal, delete the messages, set disappearing timers—it doesn’t matter. The notification cache keeps its own copy.
The FBI used forensic extraction tools—reportedly Cellebrite—to pull this data from Sharp’s seized iPhone. What they recovered were incoming message previews that had been written to iOS system storage whenever a notification appeared. Only incoming messages were captured. Outgoing messages don’t pass through the push notification system, so they left no such trace.
The 404 Media report that broke the story on April 9, 2026, confirmed the details through defense attorney Harmony Schuerman, who was present for the testimony. The disclosure has since been corroborated by multiple forensic experts.
This isn’t a Signal-specific vulnerability. WhatsApp, Telegram, iMessage, and any other app that renders message content in notifications leaves the same forensic breadcrumbs. Signal’s encryption worked exactly as designed—the FBI simply bypassed it entirely by reading iOS’s copy of the notification data.
The fix is almost insultingly simple. Open Signal, go to Settings, tap Notifications, select Notification Content, and choose “No Name or Message.” That prevents iOS from storing readable message text in its notification database. The whole process takes about 15 seconds.
The case carries additional weight as the first federal prosecution involving alleged activities connected to President Trump’s designation of “Antifa” as a terrorist organization. Sharp faces up to 15 years in federal prison.
Wiethorn’s testimony was given in open court, making the technique permanently public knowledge—a detail that matters for anyone assuming their deleted messages are actually gone.
