{{Short description|Iran-linked hacktivist organization}} {{pp-extended|small=1}} {{Use dmy dates|date=March 2026}} {{Infobox organization | name = Handala Hack Team | formation = {{start date and age|2023|12|18|df=y}} | type = Hacker group | purpose = [[Internet vigilantism]] against the United States and Israel | location = Iran | methods = [[Cyberattack]]s, [[doxing]], [[email hacking|email]] and [[phone hacking]], [[website defacement]], [[wiper malware]] | affiliations = [[Ministry of Intelligence (Iran)|Iranian Ministry of Intelligence]] | website = {{URL|https://handala-hack.tw}} }} The '''Handala Hack Team''' is a [[Hacktivism|hacktivist]] group supposedly operating from Iran that runs [[cyberattack]]s against U.S. and Israeli organizations. It has released personal documents and emails from thousands of individuals, including politicians. It is believed to be a front for [[Cyberwarfare and Iran|Iran's cyberwarfare]] and thus one of several personas used by the Iranian [[Ministry of Intelligence (Iran)|Ministry of Intelligence]] to take responsibility for its cyberattacks. The group first appeared in December 2023, following the [[October 7 attacks]].
During the [[2026 Iran war]], it was responsible for the [[Wiper (malware)|wiping]] attack through [[Microsoft Intune]] against [[Stryker Corporation]]. It was reported to have been the most significant wartime cyberattack on the United States.<ref name=":1" />
== Characteristics == Handala has been described by media outlets as pro-Palestinian, pro-Iranian,<ref>{{Cite web |date=2026-03-27 |title=Pro-Iran group claims hack of FBI director’s personal email account |url=https://www.euronews.com/2026/03/27/pro-iran-group-claims-credit-for-hack-of-fbi-director-kash-patels-personal-email-account |access-date=2026-03-28 |website=euronews |language=en}}</ref><ref>{{Cite web |last=Tucker |first=Eric |date=2026-03-27 |title=Pro-Iranian group claims credit for hacking into FBI Director Patel's personal account |url=https://www.pbs.org/newshour/nation/pro-iranian-group-claims-credit-for-hacking-into-fbi-director-patels-personal-account |access-date=2026-03-28 |website=PBS News |language=en-us}}</ref> and anti-Israeli.<ref>{{Cite web |last=Kovacs |first=Eduard |date=2026-03-20 |title=US Confirms Handala Link to Iran Government Amid Takedown of Hackers’ Sites |url=https://www.securityweek.com/us-confirms-handala-link-to-iran-government-amid-takedown-of-hackers-sites/ |access-date=2026-03-28 |website=SecurityWeek |language=en-US}}</ref> They have proclaimed themselves as pro-Palestinian [[Internet vigilantism|vigilantes]].<ref>{{Cite web |title=FBI director Kash Patel’s emails, photos hacked by Iran-linked group |url=https://www.aljazeera.com/news/2026/3/27/fbi-director-kash-patels-emails-photos-hacked-by-iran-linked-group |access-date=2026-03-28 |website=Al Jazeera |language=en}}</ref> In December 2023, the group expressed support for Hamas after [[IRGC]] general [[Razi Mousavi]] was killed in an Israeli airstrike. In February 2024, while Israel was preparing for the [[Rafah offensive]], Handala stated: "We stood by [[Rafah]]", while announcing a defacement campaign targeting Israeli websites.<ref name=":6">{{Cite web |last=Dror |first=Idan |last2=Eichler |first2=Hadar |date=2025-02-20 |title=Handala Hack: What We Know About the Rising Threat Actor |url=https://cyberint.com/blog/threat-intelligence/handala-hack-what-we-know-about-the-rising-threat-actor/ |access-date=2026-03-28 |website=Cyberint |language=en-US}}</ref>
The group is named after the character [[Handala]], who was drawn by Palestinian cartoonist [[Naji al-Ali]] in 1969 and has since been used to symbolize Palestinian identity and resilience.<ref name=":4" /> It also uses Handala's image in its online propaganda and cyberattacks.<ref name=":3" />
Western analysts suspect that Handala is linked to the Iranian [[Ministry of Intelligence (Iran)|Ministry of Intelligence]] (MOIS),<ref name=":0" /> with [[Wired (magazine)|Wired]] reporting that it is a suspected front for the ministry.<ref>{{Cite news |last=Greenberg |first=Andy |title=How ‘Handala’ Became the Face of Iran’s Hacker Counterattacks |url=https://www.wired.com/story/handala-hacker-group-iran-us-israel-war/ |access-date=2026-03-27 |work=Wired |language=en-US |issn=1059-1028}}</ref> The US [[United States Department of Justice|Department of Justice]] described Handala as a fictitious identity used by the MOIS to hide its role in "influence operations and psychological scaremongering campaigns".<ref name=":2">{{Cite news |title=The FBI Took Down Iranian Hackers Trolling Israel for Years. Now They're Back |url=https://www.haaretz.com/israel-news/security-aviation/2026-03-21/ty-article/.premium/the-fbi-took-down-iranian-hackers-trolling-israel-for-years-now-theyre-back/0000019d-101c-de86-abff-919cc2dc0000|last=Benjakob|first=Omer|date=21 March 2026|access-date=27 March 2026|work=Haaretz}}</ref>
The FBI said that Handala is run by an MOIS unit responsible for "Justice Homeland" and "Karma Below", two other Iranian intelligence personas.<ref name=":2" /> Iran International reported that Handala is linked to the MOIS Domestic Security Directorate and operations under the cyberunit "Banished Kitten", also known as Storm-0842 and Dune.<ref name=":5">{{Cite web |last=Pourmohsen |first=Mojtaba |date=2025-08-15 |title=Iranian intel officials tied to cyber group targeting Iran International journalists |url=https://www.iranintl.com/en/202508153061 |access-date=2026-03-27 |website=Iran International |language=en}}</ref> The unit, also known by Void Manticore and Red Sandstorm, is responsible for operating Justice Homeland and Karma Below, who have previously targeted Israel and Albania. Justice Homeland was the most prominent group from mid-2022 to late 2023, when it was overtaken by Handala.<ref>{{Cite web |date=2026-03-12 |title=“Handala Hack” - Unveiling Group's Modus Operandi |url=https://research.checkpoint.com/2026/handala-hack-unveiling-groups-modus-operandi/ |access-date=2026-03-28 |website=Check Point Research |language=en-US}}</ref><ref>{{Cite web |date=2026-03-26 |title=Threat Brief: March 2026 Escalation of Cyber Risk Related to Iran (Updated March 26) |url=https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/ |access-date=2026-03-28 |website=Unit 42 |language=en-US}}</ref> Banished Kitten was led by [[Yahya Hosseini Panjaki]], also known by Yahya Hamidi, who was sanctioned by the US in 2024.<ref name=":5" /> Panjaki was killed during the [[2026 Iran war]].<ref>{{Cite web |date=2026-03-02 |title=Iran’s deputy minister of intelligence for Israel affairs killed, Israel army says |url=https://www.iranintl.com/en/202603029390 |access-date=2026-03-27 |website=Iran International |language=en}}</ref> According to the ''[[Irish Examiner]]'', the group was forced to reorganize during the war after two of its most prominent figures were killed.<ref>{{Cite web |last=O’Keeffe |first=Cormac |date=2026-03-23 |title=Hacker group behind Stryker attack forced to 'reorganise' after key figures killed in military action |url=https://www.irishexaminer.com/news/arid-41814761.html |access-date=2026-03-27 |website=Irish Examiner |language=en}}</ref> ==History==
=== 2023 === Handala first created accounts on [[Telegram (software)|Telegram]] and X on 18 December 2023, weeks after [[7 October attacks]]. The group first proclaimed itself a "small fighter" of [[Hamas]], before shifting towards broader [[anti-Israeli]] messaging.<ref name=":3">{{Cite news |title=Dark Web Profile: Handala Hack |url=https://socradar.io/blog/dark-web-profile-handala-hack/|date=13 March 2026|access-date=27 March 2026|work=SOCRadar}}</ref>
It was behind HamsaUpdate, a [[Wiper (malware)|wiper malware]] campaign targeting Israeli citizens using both [[Microsoft Windows]] and [[Linux]] systems. The campaign sent out emails to its victims attempting to convince them to download the malware onto their computers. It provoked a warning from Israel's [[National Cyber Directorate]] on 19 December.<ref>{{Cite web |date=2023-12-20 |title=Operation HamsaUpdate: A Sophisticated Campaign Delivering Wipers Puts Israeli Infrastructure at Risk |url=https://intezer.com/blog/stealth-wiper-israeli-infrastructure/ |access-date=2026-03-27 |website=Intezer |language=en-US}}</ref><ref>{{Cite journal |last=Guy |first=Levi |date=2025 |title=Cyber-Attack Via Social Engineering In Israel: A Case Study Of The Hamsaupdate Malware Campaign |url=https://ideas.repec.org//a/blg/reveco/v77y2025i1p101-110.html |journal=Revista Economica |language=en |volume=77 |issue=1 |pages=101–110}}</ref>
===2024=== In April, Handala claimed that it hacked [[Iron Dome]] and radar systems and sent 500,000 texts to Israelis.<ref name=":4">{{Cite web |date=2024-04-16 |title=Handala Hacker Group Warns Israel By Targeting Radar Systems |url=https://thecyberexpress.com/handala-hacker-group-warns-israel/ |access-date=2026-03-27 |website=The Cyber Express |language=en-US}}</ref> On 15 June, the group conducted a ransomware attack on kibbutz [[Ma'agan Michael]], seizing 22 gigabytes of data and sending 5,000 false [[SMS]] warning messages.<ref name=":6" /> In the same month, it also sent SMS messages to residents in [[Ma'ale Yosef Regional Council]], along with a malware app disguised as MyCity that gave Handala further access to devices that downloaded it.<ref name=":7" /> On 21 June, the group claimed without evidence on Telegram that it had targeted "thousands of [[Zionism|Zionist]] organizations". On 20 July, in the wake of the [[2024 CrowdStrike-related IT outages|CrowdStrike-related IT outages]], Handala distributed emails containing wiper malware masked as a PDF file containing instructions on how to fix the issue.<ref>{{Cite web |last=Vicens |first=A. J. |date=2024-07-23 |title=Low-level cybercriminals are pouncing on CrowdStrike-connected outage |url=https://cyberscoop.com/low-level-cybercriminals-are-pouncing-on-crowdstrike-connected-outage/ |access-date=2026-03-27 |website=CyberScoop |language=en-US}}</ref><ref name=":7" />
Since September, Handala began a number of hacks targeting the emails of Israeli politicians. By November, the group leaked 110,000 emails from former Israeli prime minister [[Ehud Barak]], 60,000 emails from former [[IDF]] chief of staff [[Gadi Eisenkot]], 50,000 emails from ambassador to Germany [[Ron Prosor]], and 2,000 photos and 35,000 emails from former defense minister [[Benny Gantz]].<ref name=":7">{{Cite web |date=2024-11-07 |title=Handala Hack: Iranian Cyber Warfare & Rise of Wiper Attacks |url=https://op-c.net/blog/handala-hack-cyber-warfare-wiper-attacks-on-israel/ |access-date=2026-03-27 |language=en-US|website=OP Innovate}}</ref> That same month, the group hacked into [[Vidisco]], claiming it had discovered a "backdoor" in security scanners that enabled the explosives used in Israel's [[2024 Lebanon electronic device attacks|pager attack]] in Lebanon to pass unnoticed.<ref>{{Cite web |date=2024-10-01 |title=Iran-linked Threat Group Handala Actively Targets Israel |url=https://thecyberexpress.com/iran-threat-group-handala-targets-israel/ |access-date=2026-03-27 |language=en-US|website=The Cyber Express}}</ref> On 30 September, Handala said that it seized 197 gigabytes of data from the [[Soreq Nuclear Research Center]] in response to [[2024 Hezbollah headquarters strike|the killing]] of [[Hezbollah]] leader [[Hassan Nasrallah]]. The group targeted [[Sheba Medical Center]] three months prior, seizing data from a biotechnology corporation.<ref>{{Cite news |last=Kahan |first=Raphael |last2=Kahan |first2=Raphael |date=2024-09-30 |title=Iranian hackers claim to breach nuclear research center system in Israel |url=https://www.ynetnews.com/article/bjkqmvda0 |access-date=2026-03-27 |work=Ynetglobal |language=en}}</ref>
On 3 October, Handala hacked into the [[Shin Bet]]'s security system, stealing confidential information from around 30,000 officers. On 6 October, it leaked 300 GB of confidential information from [[Israeli Industrial Batteries]], which provides services to Israel's military. On 8 October, Handala leaked 1.5 TB of data from [[Max Shop]], a service used by over 9,000 Israeli stores, leaking financial transactions and customer data. On 28 October, it conducted a cyberattack on Israeli cybersecurity provider AGAS, compromising 74 of its servers.<ref name=":7" />
On 3 November, Handala hacked servers in [[El'ad]], leaking more than 3 TB of data, including personal data from residents, and impacting municipal services.<ref name=":7" /> On 12 November, Handala leaked photos allegedly seized from the phones of senior Israeli officials, including Benny Gantz and [[Natan Sharansky]]. One photo depicted Gantz topless in bed beside a woman. The group also posted 30 images taken at Soreq and the names of scientists working on its [[particle accelerator]].<ref>{{Cite web |last=Ball |first=Tom |date=2024-11-12 |title=Iran hackers leak private photos of top Israeli officials |url=https://www.thetimes.com/world/middle-east/article/iran-hackers-leak-private-photos-of-top-israeli-officials-fwkmm6x8w |access-date=2026-03-27 |website=The Times |language=en-GB}}</ref> On 24 November, the group claimed that it seized documents containing the names of hundreds of [[Mossad]] operatives in response to [[Killing of Yahya Sinwar|the killing]] of [[Hamas]] leader [[Yahya Sinwar]].<ref>{{Cite web |title=Hacker group claims to have targeted Mossad |url=https://www.upi.com/Top_News/World-News/2024/11/24/hacker-group-targetted-mossad-shin-bet/9361732473386/ |access-date=2026-03-27 |website=UPI |language=en}}</ref>
===2025=== On 27 January 2025, Handala targeted [[Maager-Tec]] [[public address system]]s of at least 20 kindergartens in Israel, playing Arabic messages, anti-Israeli songs, and rocket sirens.<ref>{{Cite web |date=2025-01-27 |title=Iranian cyberattack targets kindergartens, plays rocket sirens |url=https://www.jpost.com/israel-news/article-839386 |access-date=2026-03-27 |website=The Jerusalem Post |language=en}}</ref><ref>{{Cite web |date=2025-01-27 |title=Iranian hacker group targets Israeli kindergartens' PA systems |url=https://www.iranintl.com/en/202501265679 |access-date=2026-03-27 |website=Iran International |language=en}}</ref> In May, Ehud Barak's email inbox was published by [[Distributed Denial of Secrets]] after being leaked by Handala, revealing an invitation to Barak by [[Jeffrey Epstein]] to a dinner with [[Peter Thiel]] in May 2014. Barak said he could not make it, although Epstein insisted on Barak meeting Thiel and offered to set up another meeting the next month.<ref>{{Cite web |last=Petti |first=Matthew |date=2025-08-27 |title=Inside Jeffrey Epstein’s spy industry connections |url=https://reason.com/2025/08/27/inside-jeffrey-epsteins-spy-industry-connections/ |access-date=2026-03-27 |website=Reason.com |language=en-US}}</ref> On 8 July, the group said that it accessed server infrastructure belonging to [[Iran International]], and released photos of government IDs and other personal information belonging to five of its staff. The following day, it claimed that it received information on thousands of people linked to the outlet, and later published the personal details of several journalists on [[Facebook]].<ref>{{Cite web |date=2025-09-11 |title=Iran-linked hacker group doxes journalists and amplifies leaked information through AI chatbots |url=https://www.international.gc.ca/transparency-transparence/rapid-response-mechanism-mecanisme-reponse-rapide/iran-hack-piratage-iranien.aspx?lang=eng |access-date=2026-03-27 |website=Global Affairs Canada}}</ref>
In November, it was reported that Handala obtained and leaked emails written between the 2000s and 2018 between [[Palantir]] co-founder Peter Thiel and top Israeli officials, such as Ehud Barak and Benny Gantz, who expressed interest in gaining access to his company.<ref>{{Cite web |date=2025-11-23 |title=Inside the extended courtship linking Jeffrey Epstein, Peter Thiel, and Israeli officials |url=https://sfstandard.com/2025/11/23/extended-courtship-linking-jeffrey-epstein-peter-thiel-israeli-officials/ |access-date=2026-03-27 |website=San Francisco Standard |language=en}}</ref> On 29 November, the group said it left a bouquet of flowers inside of the car of a senior Israeli nuclear scientist, and also published personal information belonging to alleged [[Unit 8200]] members.<ref>{{Cite news |date=2025-11-29 |title=Iranian hackers claim they left a heavy bouquet in Israeli nuclear scientist’s car |url=https://www.ynetnews.com/article/s161vadwbx |access-date=2026-03-27 |work=Ynetglobal |language=en}}</ref>
On 16 December, the group claimed it released details on 13 designers of defense systems such as the [[Arrow (missile family)|Arrow]] and [[David's Sling]], and offered a $30,000 bounty for more information on the Israeli military industry.<ref name=":0">{{Cite web |date=2025-12-16 |title=Iran-linked hacker group offers $30,000 bounty for Israel's military info |url=https://www.iranintl.com/en/202512164597 |access-date=2026-03-27 |website=Iran International |language=en}}</ref> On 18 December, Handala said that it hacked the phone of former Israeli prime minister [[Naftali Bennett]], publishing his chat messages and 141-page list of his contacts. Bennett said that only his Telegram account was breached.<ref>{{Cite web |last=Peled |first=Anat |date=2025-12-18 |title=New Iran-Linked Cyberattack Targets Former Israeli Prime Minister |url=https://www.wsj.com/world/middle-east/iran-hacks-former-israeli-prime-minister-in-new-tehran-linked-cyberattack-f1a959ca |access-date=2026-03-27 |website=The Wall Street Journal |language=en-US}}</ref> On 28 December, the group said that it hacked into the iPhone of prime minister [[Benjamin Netanyahu]]'s chief of staff, [[Tzachi Braverman]], as part of its "Bibi Gate" operation. The group threatened to release files from the phone, including phone numbers linked to senior officials, but a breach was denied by the [[Prime Minister's Office (Israel)|Prime Minister's Office]].<ref>{{Cite web |date=2025-12-28 |title=Iran-linked hacking group claims access to phone of Netanyahu aide |url=https://www.iranintl.com/en/202512284069 |access-date=2026-03-27 |website=Iran International |language=en}}</ref>
===2026=== On 3 January, Handala published 60 photos and videos from [[Ayelet Shaked]]'s phone.<ref>{{Cite web |title=Iran-linked hackers claim they breached former minister Ayelet Shaked's phone |url=https://www.timesofisrael.com/iran-linked-hackers-claim-they-breached-former-minister-ayelet-shakeds-phone/amp/ |access-date=2026-03-27 |website=The Times of Israel}}</ref> On 8 January, it claimed that it had surveilled a senior Mossad operative behind covert operations in Iran, and released videos allegedly shot outside their home.<ref>{{Cite web |date=2026-01-08 |title=Iran-backed Handala threatens to leak Mossad information |url=https://www.jpost.com/middle-east/article-882791 |access-date=2026-03-27 |website=The Jerusalem Post |language=en}}</ref> On 25 February, the group said that it hacked into [[Clalit Health Services]] and released medical information from over 10,000 patients.<ref>{{Cite web |title=Iran-linked hacker group claims to breach data of Israel's largest healthcare network |url=https://www.timesofisrael.com/iran-linked-hacker-group-claims-to-breach-data-of-israels-largest-healthcare-network/amp/ |access-date=2026-03-27 |website=The Times of Israel}}</ref>
====Iran war==== {{See also|Cyberwarfare during the 2026 Iran war}} On 3 March, Handala put a $250,000 bounty for the beheadings of Iranian-Canadian activist [[Goldie Ghamari]] and Iranian-American lawyer [[Elica Le Bon]], claiming it had leaked their home addresses to the [[Jalisco New Generation Cartel]].<ref>{{Cite web |date=2026-03-02 |title=Iran-linked hackers offer $250,000 bounty to kill activists |url=https://www.jpost.com/middle-east/iran-news/article-888492 |access-date=2026-03-28 |website=The Jerusalem Post |language=en}}</ref>
On 11 March, Handala claimed a cyberattack against the [[Michigan]]-based medical technology manufacturer [[Stryker Corporation]], which serves 150 million patients. The attack affected devices that were connected to [[Microsoft Windows]], disrupting much of the company's global operations, such as order processing, manufacturing, and shipping and forcing tens of thousands of employees to be sent home.<ref>{{Cite web |last=Lyngaas |first=Sean |date=2026-03-11 |title=Pro-Iran hackers claim cyberattack on major US medical device maker |url=https://www.cnn.com/2026/03/11/politics/pro-iran-hackers-cyberattack-medical-device-maker |access-date=2026-03-27 |website=CNN |language=en}}</ref><ref name=":1">{{Cite web |last=Loftus |first=Peter |date=2026-03-16 |title=Hack on U.S. Medical Company Shows Reach of Iran’s Cyber Capabilities |url=https://www.wsj.com/politics/national-security/hack-on-u-s-medical-company-shows-reach-of-irans-cyber-capabilities-85999878 |access-date=2026-03-27 |website=The Wall Street Journal |language=en-US|last2=Volz|first2=Dustin}}</ref> The company said on 26 March that it had largely recovered from the cyberattack.<ref>{{Cite news |title=Stryker says manufacturing mostly restored after cyberattack |url=https://www.reuters.com/business/stryker-says-manufacturing-mostly-restored-after-cyberattack-2026-03-26/|date=26 March 2026|access-date=27 March 2026|work=Reuters}}</ref> Handala said that it destroyed over 200,000 of Stryker's systems and devices across 79 countries in response to the [[2026 Minab school attack|Minab school attack]] that reportedly killed at least 170 people.<ref>{{Cite web |title=Iran-linked hackers hit medical giant Stryker in retaliatory cyberattack |url=https://www.aljazeera.com/news/2026/3/11/iran-linked-hackers-hit-medical-giant-stryker-in-retaliatory-cyberattack |access-date=2026-03-27 |website=Al Jazeera |language=en}}</ref><ref>{{Cite web |last=Annaloro |first=Julia |date=2026-03-27 |title=Why Microsoft Intune’s role in Stryker cyberattack is a scary prospect |url=https://health-isac.org/why-microsoft-intunes-role-in-stryker-cyberattack-is-a-scary-prospect/ |access-date=2026-03-27 |website=Health Information Sharing and Analysis Center |language=en-US}}</ref> It was reported to have been the most severe Iranian wartime cyberattack against the US in history.<ref name=":1" /> Also that day, Handala hacked the [[Academy of the Hebrew Language]] website, replacing it with its logo and the message: "There is no need to learn Hebrew anymore. You won’t need it for much longer."<ref>{{Cite web |date=2026-03-11 |title=Handala hackers breach Academy of Hebrew Language's website |url=https://www.jpost.com/middle-east/iran-news/article-889558 |access-date=2026-03-28 |website=The Jerusalem Post |language=en}}</ref>
On 19 March, the [[Federal Bureau of Investigation]] (FBI) took down Handala's website, which was used to document its activities. A backup website and two others linked to Iran's cyber operations were also shut down. Handala's [[X (social network)|X]] account was also banned.<ref>{{Cite web |date=2026-03-19 |title=FBI seizes website tied to Iranian cyberattack on U.S. company |url=https://www.nbcnews.com/tech/security/iran-cyber-attack-stryker-us-company-risk-war-fbi-handala-rcna264332 |access-date=2026-03-27 |website=NBC News |language=en}}</ref> The following day, Handala restored its website.<ref>{{Cite news |title=Iran-linked hackers restore website after US seizes domains |url=https://www.reuters.com/technology/iran-linked-hackers-restore-website-after-us-seizes-domains-2026-03-20/|last=Vicens|first=A.J.|date=20 March 2026|access-date=27 March 2026|work=Reuters}}</ref> On 27 March, Handala said that it hacked the personal email of FBI director [[Kash Patel]], publishing more than 300 emails, as well as his photos and alleged resume.<ref>{{Cite web |date=2026-03-27 |title=FBI Director Kash Patel's personal email breached by hackers linked to Iran, sources say |url=https://www.cbsnews.com/news/fbi-director-kash-patel-email-hackers-lran/ |access-date=2026-03-27 |website=CBS News |language=en-US}}</ref><ref>{{Cite news |date=2026-03-27 |title=FBI director’s personal email, photos and documents leaked by Iran-linked hackers |url=https://www.theguardian.com/us-news/2026/mar/27/fbi-director-kash-patel-email-hacked-by-iran |access-date=2026-03-29 |work=The Guardian |language=en-GB |issn=0261-3077}}</ref> Most of the emails released by the group were dated before 2019, before Patel was appointed director of the FBI. Following the hack, the [[Rewards for Justice Program]] offered up to $10 million in exchange for the identification of the Handala group.<ref>{{Cite web |title=Iranian hackers allegedly breached FBI Director Patel’s personal emails |url=https://abcnews.com/US/hackers-breached-fbi-director-kash-patels-emails-prior/story?id=131474304 |access-date=2026-03-28 |website=ABC News |language=en}}</ref>
On 1 April, Handala claimed that it seized 2 TB of data, including information about county employees, police reports, and death certificates, after hacking computer systems in [[St. Joseph County, Indiana]].<ref>{{Cite web |last=Short |first=Joshua |date=2026-04-01 |title=Iranian-backed hacker group claims St. Joseph County data breach |url=https://www.wndu.com/2026/04/01/iranian-backed-hacker-group-claims-st-joseph-county-data-breach/ |access-date=2026-04-17 |website=WNDU |language=en}}</ref> Local officials confirmed a hack occurred, but said that only third-party faxing systems were affected and no sensitive data was released.<ref>{{Cite web |last=Kim |first=John Beomsoo |date=2026-04-03 |title=St. Joseph County officials address cyber attack by Iranian-backed hacker group |url=https://www.wndu.com/2026/04/03/st-joseph-county-officials-address-cyber-attack-by-iranian-backed-hacker-group/ |access-date=2026-04-17 |website=WNDU |language=en}}</ref> On 9 April, the group said that it hacked the devices of former IDF chief of staff [[Herzi Halevi]] and released over 19,000 documents. Among the files released were photos and videos from previously unknown meetings with Jordanian army chief [[Yousef Huneiti]] in Jordan and US [[CENTCOM]] commander [[Michael Kurilla]] in Qatar, as well as personal photos and IDs.<ref>{{Cite web |title=Iran-linked hackers leak photos of ex-IDF chief Halevi's work and family life |url=https://www.timesofisrael.com/iran-linked-hackers-leak-photos-of-ex-idf-chief-halevis-work-and-family-life/amp/ |access-date=2026-04-17 |website=The Times of Israel}}</ref>
== See also == {{Portal|Internet|Iran }}
* [[List of hacker groups]] * [[Harakat Ashab al-Yamin al-Islamia]] * [[Predatory Sparrow]]
== References == {{Reflist}}
== External links == * {{Official website|https://handala-hack.tw}}
[[Category:Anti-Americanism]] [[Category:Anti-Israeli sentiment]] [[Category:Cyberattack gangs]] [[Category:Cyberattacks]] [[Category:Cybercrime]] [[Category:Cyberwarfare in Iran]] [[Category:Hacker groups]] [[Category:Hacktivists]] [[Category:Internet vigilantism]] [[Category:Ministry of Intelligence (Iran)]] [[Category:Organizations established in 2023]] [[Category:Organizations involved in the Israeli–Palestinian conflict]] [[Category:Palestinian nationalism]]