US News

Well just the same it's as likely that:

1. His handler was a double-agent or US operative fishing them the whole time.
2. He confessed to it after a slip-up or under suspicion after being questioned.
3. They found out at some point, got malware sent to his phone, decypted the messages that way.
4. Some combination of these.

While it certainly is possible that the US has compromised and/or is running top e2e encrypted messengers and I wouldn't use them myself for anything that's considered a serious threat to national security, it's also just as likely they may have for example used metadata inference via the big brother NSA global intercept program (which actually is a number of programs) to say "hey this US military IP address sure is sending regular messages to this IP address we've inferred (which itself is the real breach here in China's operations if true) to belong to Chinese intelligence via this encrypted messenger" at which point they don't have to know message content to know something is up, deploy the malware/and|or seize the device physically and there ya go.

US going around shitting and crying itself over Chinese "societal surveillance" that they fear will and has historically allowed them to shut down American spy networks in China do the same thing but globally and not just nationally and unlike China have no protections against misuse, share the data with between 1 (UK), 7, 14, or 21 countries (eyes agreements), and oh yeah practice rendition, torture, and assassination without trial.