Shirt a Phobia

Sample Page

The Handala Hack Team is hacktivist group supposedly operating from Iran that runs cyberattacks against U.S. and Israeli organizations. It has released personal documents and emails from thousands of individuals, including politicians. It is believed to be a front for Iran’s cyberwarfare and thus one of several personas used by the Iranian Ministry of Intelligence to take responsibility for its cyberattacks. The group first appeared in December 2023, following the October 7 attacks.

During the 2026 Iran war, it was responsible for the wiping attack through Microsoft Intune against Stryker Corporation. It was reported to have been the most significant wartime cyberattack on the United States.[1]

Characteristics

Handala has been described by media outlets as pro-Palestinian, pro-Iranian,[2][3] and anti-Israeli.[4] They have proclaimed themselves as pro-Palestinian vigilantes.[5] In December 2023, the group expressed support for Hamas after IRGC general Razi Mousavi was killed in an Israeli airstrike. In February 2024, while Israel was preparing for the Rafah offensive, Handala stated: “We stood by Rafah“, while announcing a defacement campaign targeting Israeli websites.[6]

The group is named after the character Handala, who was drawn by Palestinian cartoonist Naji al-Ali in 1969 and has since been used to symbolize Palestinian identity and resilience.[7] It also uses Handala’s image in its online propaganda and cyberattacks.[8]

Western analysts suspect that Handala is linked to the Iranian Ministry of Intelligence (MOIS),[9] with Wired reporting that it is a suspected front for the ministry.[10] The US Department of Justice described Handala as a fictitious identity used by the MOIS to hide its role in “influence operations and psychological scaremongering campaigns”.[11]

The FBI said that Handala is run by an MOIS unit responsible for “Justice Homeland” and “Karma Below”, two other Iranian intelligence personas.[11] Iran International reported that Handala is linked to the MOIS Domestic Security Directorate and operations under the cyberunit “Banished Kitten”, also known as Storm-0842 and Dune.[12] The unit, also known by Void Manticore and Red Sandstorm, is responsible for operating Justice Homeland and Karma Below, who have previously targeted Israel and Albania. Justice Homeland was the most prominent group from mid-2022 to late 2023, when it was overtaken by Handala.[13][14] Banished Kitten was led by Yahya Hosseini Panjaki, also known by Yahya Hamidi, who was sanctioned by the US in 2024.[12] Panjaki was killed during the 2026 Iran war.[15] According to the Irish Examiner, the group was forced to reorganize during the war after two of its most prominent figures were killed.[16]

History

2023

Handala first created accounts on Telegram and X on 18 December 2023, weeks after 7 October attacks. The group first proclaimed itself a “small fighter” of Hamas, before shifting towards broader anti-Israeli messaging.[8]

It was behind HamsaUpdate, a wiper malware campaign targeting Israeli citizens using both Microsoft Windows and Linux systems. The campaign sent out emails to its victims attempting to convince them to download the malware onto their computers. It provoked a warning from Israel’s National Cyber Directorate on 19 December.[17][18]

2024

In April, Handala claimed that it hacked Iron Dome and radar systems and sent 500,000 texts to Israelis.[7] On 15 June, the group conducted a ransomware attack on kibbutz Ma’agan Michael, seizing 22 gigabytes of data and sending 5,000 false SMS warning messages.[6] In the same month, it also sent SMS messages to residents in Ma’ale Yosef Regional Council, along with a malware app disguised as MyCity that gave Handala further access to devices that downloaded it.[19] On 21 June, the group claimed without evidence on Telegram that it had targeted “thousands of Zionist organizations”. On 20 July, in the wake of the CrowdStrike-related IT outages, Handala distributed emails containing wiper malware masked as a PDF file containing instructions on how to fix the issue.[20][19]

Since September, Handala began a number of hacks targeting the emails of Israeli politicians. By November, the group leaked 110,000 emails from former Israeli prime minister Ehud Barak, 60,000 emails from former IDF chief of staff Gadi Eisenkot, 50,000 emails from ambassador to Germany Ron Prosor, and 2,000 photos and 35,000 emails from former defense minister Benny Gantz.[19] That same month, the group hacked into Vidisco, claiming it had discovered a “backdoor” in security scanners that enabled the explosives used in Israel’s pager attack in Lebanon to pass unnoticed.[21] On 30 September, Handala said that it seized 197 gigabytes of data from the Soreq Nuclear Research Center in response to the killing of Hezbollah leader Hassan Nasrallah. The group targeted Sheba Medical Center three months prior, seizing data from a biotechnology corporation.[22]

On 3 October, Handala hacked into the Shin Bet‘s security system, stealing confidential information from around 30,000 officers. On 6 October, it leaked 300 GB of confidential information from Israeli Industrial Batteries, which provides services to Israel’s military. On 8 October, Handala leaked 1.5 TB of data from Max Shop, a service used by over 9,000 Israeli stores, leaking financial transactions and customer data. On 28 October, it conducted a cyberattack on Israeli cybersecurity provider AGAS, compromising 74 of its servers.[19]

On 3 November, Handala hacked servers in El’ad, leaking more than 3 TB of data, including personal data from residents, and impacting municipal services.[19] On 12 November, Handala leaked photos allegedly seized from the phones of senior Israeli officials, including Benny Gantz and Natan Sharansky. One photo depicted Gantz topless in bed beside a woman. The group also posted 30 images taken at Soreq and the names of scientists working on its particle accelerator.[23] On 24 November, the group claimed that it seized documents containing the names of hundreds of Mossad operatives in response to the killing of Hamas leader Yahya Sinwar.[24]

2025

On 27 January 2025, Handala targeted Maager-Tec public address systems of at least 20 kindergartens in Israel, playing Arabic messages, anti-Israeli songs, and rocket sirens.[25][26] In May, Ehud Barak’s email inbox was published by Distributed Denial of Secrets after being leaked by Handala, revealing an invitation to Barak by Jeffrey Epstein to a dinner with Peter Thiel in May 2014. Barak said he could not make it, although Epstein insisted on Barak meeting Thiel and offered to set up another meeting the next month.[27] On 8 July, the group said that it accessed server infrastructure belonging to Iran International, and released photos of government IDs and other personal information belonging to five of its staff. The following day, it claimed that it received information on thousands of people linked to the outlet, and later published the personal details of several journalists on Facebook.[28]

In November, it was reported that Handala obtained and leaked emails written between the 2000s and 2018 between Palantir co-founder Peter Thiel and top Israeli officials, such as Ehud Barak and Benny Gantz, who expressed interest in gaining access to his company.[29] On 29 November, the group said it left a bouquet of flowers inside of the car of a senior Israeli nuclear scientist, and also published personal information belonging to alleged Unit 8200 members.[30]

On 16 December, the group claimed it released details on 13 designers of defense systems such as the Arrow and David’s Sling, and offered a $30,000 bounty for more information on the Israeli military industry.[9] On 18 December, Handala said that it hacked the phone of former Israeli prime minister Naftali Bennett, publishing his chat messages and 141-page list of his contacts. Bennett said that only his Telegram account was breached.[31] On 28 December, the group said that it hacked into the iPhone of prime minister Benjamin Netanyahu‘s chief of staff, Tzachi Braverman, as part of its “Bibi Gate” operation. The group threatened to release files from the phone, including phone numbers linked to senior officials, but a breach was denied by the Prime Minister’s Office.[32]

2026

On 3 January, Handala published 60 photos and videos from Ayelet Shaked‘s phone.[33] On 8 January, it claimed that it had surveilled a senior Mossad operative behind covert operations in Iran, and released videos allegedly shot outside their home.[34] On 25 February, the group said that it hacked into Clalit Health Services and released medical information from over 10,000 patients.[35]

Iran war

See also: Cyberwarfare during the 2026 Iran war

On 3 March, Handala put a $250,000 bounty for the beheadings of Iranian-Canadian activist Goldie Ghamari and Iranian-American lawyer Elica Le Bon, claiming it had leaked their home addresses to the Jalisco New Generation Cartel.[36]

On 11 March, Handala claimed a cyberattack against the Michigan-based medical technology manufacturer Stryker Corporation, which serves 150 million patients. The attack affected devices that were connected to Microsoft Windows, disrupting much of the company’s global operations, such as order processing, manufacturing, and shipping and forcing tens of thousands of employees to be sent home.[37][1] The company said on 26 March that it had largely recovered from the cyberattack.[38] Handala said that it destroyed over 200,000 of Stryker’s systems and devices across 79 countries in response to the Minab school attack that reportedly killed at least 170 people.[39][40] It was reported to have been the most severe Iranian wartime cyberattack against the US in history.[1] Also that day, Handala hacked the Academy of the Hebrew Language website, replacing it with its logo and the message: “There is no need to learn Hebrew anymore. You won’t need it for much longer.”[41]

On 19 March, the Federal Bureau of Investigation (FBI) took down Handala’s website, which was used to document its activities. A backup website and two others linked to Iran’s cyber operations were also shut down. Handala’s X account was also banned.[42] The following day, Handala restored its website.[43] On 27 March, Handala said that it hacked the personal email of FBI director Kash Patel, publishing more than 300 emails, as well as his photos and alleged resume.[44][45] Most of the emails released by the group were dated before 2019, before Patel was appointed director of the FBI. Following the hack, the Rewards for Justice Program offered up to $10 million in exchange for the identification of the Handala group.[46]

On 1 April, Handala claimed that it seized 2 TB of data, including information about county employees, police reports, and death certificates, after hacking computer systems in St. Joseph County, Indiana.[47] Local officials confirmed a hack occurred, but said that only third-party faxing systems were affected and no sensitive data was released.[48] On 9 April, the group said that it hacked the devices of former IDF chief of staff Herzi Halevi and released over 19,000 documents. Among the files released were photos and videos from previously unknown meetings with Jordanian army chief Yousef Huneiti in Jordan and US CENTCOM commander Michael Kurilla in Qatar, as well as personal photos and IDs.[49]

See also

References

  1. ^ a b c Loftus, Peter; Volz, Dustin (16 March 2026). “Hack on U.S. Medical Company Shows Reach of Iran’s Cyber Capabilities”. The Wall Street Journal. Retrieved 27 March 2026.
  2. ^ “Pro-Iran group claims hack of FBI director’s personal email account”. euronews. 27 March 2026. Retrieved 28 March 2026.
  3. ^ Tucker, Eric (27 March 2026). “Pro-Iranian group claims credit for hacking into FBI Director Patel’s personal account”. PBS News. Retrieved 28 March 2026.
  4. ^ Kovacs, Eduard (20 March 2026). “US Confirms Handala Link to Iran Government Amid Takedown of Hackers’ Sites”. SecurityWeek. Retrieved 28 March 2026.
  5. ^ “FBI director Kash Patel’s emails, photos hacked by Iran-linked group”. Al Jazeera. Retrieved 28 March 2026.
  6. ^ a b Dror, Idan; Eichler, Hadar (20 February 2025). “Handala Hack: What We Know About the Rising Threat Actor”. Cyberint. Retrieved 28 March 2026.
  7. ^ a b “Handala Hacker Group Warns Israel By Targeting Radar Systems”. The Cyber Express. 16 April 2024. Retrieved 27 March 2026.
  8. ^ a b “Dark Web Profile: Handala Hack”. SOCRadar. 13 March 2026. Retrieved 27 March 2026.
  9. ^ a b “Iran-linked hacker group offers $30,000 bounty for Israel’s military info”. Iran International. 16 December 2025. Retrieved 27 March 2026.
  10. ^ Greenberg, Andy. “How ‘Handala’ Became the Face of Iran’s Hacker Counterattacks”. Wired. ISSN 1059-1028. Retrieved 27 March 2026.
  11. ^ a b Benjakob, Omer (21 March 2026). “The FBI Took Down Iranian Hackers Trolling Israel for Years. Now They’re Back”. Haaretz. Retrieved 27 March 2026.
  12. ^ a b Pourmohsen, Mojtaba (15 August 2025). “Iranian intel officials tied to cyber group targeting Iran International journalists”. Iran International. Retrieved 27 March 2026.
  13. ^ “Handala Hack” – Unveiling Group’s Modus Operandi”. Check Point Research. 12 March 2026. Retrieved 28 March 2026.
  14. ^ “Threat Brief: March 2026 Escalation of Cyber Risk Related to Iran (Updated March 26)”. Unit 42. 26 March 2026. Retrieved 28 March 2026.
  15. ^ “Iran’s deputy minister of intelligence for Israel affairs killed, Israel army says”. Iran International. 2 March 2026. Retrieved 27 March 2026.
  16. ^ O’Keeffe, Cormac (23 March 2026). “Hacker group behind Stryker attack forced to ‘reorganise’ after key figures killed in military action”. Irish Examiner. Retrieved 27 March 2026.
  17. ^ “Operation HamsaUpdate: A Sophisticated Campaign Delivering Wipers Puts Israeli Infrastructure at Risk”. Intezer. 20 December 2023. Retrieved 27 March 2026.
  18. ^ Guy, Levi (2025). “Cyber-Attack Via Social Engineering In Israel: A Case Study Of The Hamsaupdate Malware Campaign”. Revista Economica. 77 (1): 101–110.
  19. ^ a b c d e “Handala Hack: Iranian Cyber Warfare & Rise of Wiper Attacks”. OP Innovate. 7 November 2024. Retrieved 27 March 2026.
  20. ^ Vicens, A. J. (23 July 2024). “Low-level cybercriminals are pouncing on CrowdStrike-connected outage”. CyberScoop. Retrieved 27 March 2026.
  21. ^ “Iran-linked Threat Group Handala Actively Targets Israel”. The Cyber Express. 1 October 2024. Retrieved 27 March 2026.
  22. ^ Kahan, Raphael; Kahan, Raphael (30 September 2024). “Iranian hackers claim to breach nuclear research center system in Israel”. Ynetglobal. Retrieved 27 March 2026.
  23. ^ Ball, Tom (12 November 2024). “Iran hackers leak private photos of top Israeli officials”. The Times. Retrieved 27 March 2026.
  24. ^ “Hacker group claims to have targeted Mossad”. UPI. Retrieved 27 March 2026.
  25. ^ “Iranian cyberattack targets kindergartens, plays rocket sirens”. The Jerusalem Post. 27 January 2025. Retrieved 27 March 2026.
  26. ^ “Iranian hacker group targets Israeli kindergartens’ PA systems”. Iran International. 27 January 2025. Retrieved 27 March 2026.
  27. ^ Petti, Matthew (27 August 2025). “Inside Jeffrey Epstein’s spy industry connections”. Reason.com. Retrieved 27 March 2026.
  28. ^ “Iran-linked hacker group doxes journalists and amplifies leaked information through AI chatbots”. Global Affairs Canada. 11 September 2025. Retrieved 27 March 2026.
  29. ^ “Inside the extended courtship linking Jeffrey Epstein, Peter Thiel, and Israeli officials”. San Francisco Standard. 23 November 2025. Retrieved 27 March 2026.
  30. ^ “Iranian hackers claim they left a heavy bouquet in Israeli nuclear scientist’s car”. Ynetglobal. 29 November 2025. Retrieved 27 March 2026.
  31. ^ Peled, Anat (18 December 2025). “New Iran-Linked Cyberattack Targets Former Israeli Prime Minister”. The Wall Street Journal. Retrieved 27 March 2026.
  32. ^ “Iran-linked hacking group claims access to phone of Netanyahu aide”. Iran International. 28 December 2025. Retrieved 27 March 2026.
  33. ^ “Iran-linked hackers claim they breached former minister Ayelet Shaked’s phone”. The Times of Israel. Retrieved 27 March 2026.
  34. ^ “Iran-backed Handala threatens to leak Mossad information”. The Jerusalem Post. 8 January 2026. Retrieved 27 March 2026.
  35. ^ “Iran-linked hacker group claims to breach data of Israel’s largest healthcare network”. The Times of Israel. Retrieved 27 March 2026.
  36. ^ “Iran-linked hackers offer $250,000 bounty to kill activists”. The Jerusalem Post. 2 March 2026. Retrieved 28 March 2026.
  37. ^ Lyngaas, Sean (11 March 2026). “Pro-Iran hackers claim cyberattack on major US medical device maker”. CNN. Retrieved 27 March 2026.
  38. ^ “Stryker says manufacturing mostly restored after cyberattack”. Reuters. 26 March 2026. Retrieved 27 March 2026.
  39. ^ “Iran-linked hackers hit medical giant Stryker in retaliatory cyberattack”. Al Jazeera. Retrieved 27 March 2026.
  40. ^ Annaloro, Julia (27 March 2026). “Why Microsoft Intune’s role in Stryker cyberattack is a scary prospect”. Health Information Sharing and Analysis Center. Retrieved 27 March 2026.
  41. ^ “Handala hackers breach Academy of Hebrew Language’s website”. The Jerusalem Post. 11 March 2026. Retrieved 28 March 2026.
  42. ^ “FBI seizes website tied to Iranian cyberattack on U.S. company”. NBC News. 19 March 2026. Retrieved 27 March 2026.
  43. ^ Vicens, A.J. (20 March 2026). “Iran-linked hackers restore website after US seizes domains”. Reuters. Retrieved 27 March 2026.
  44. ^ “FBI Director Kash Patel’s personal email breached by hackers linked to Iran, sources say”. CBS News. 27 March 2026. Retrieved 27 March 2026.
  45. ^ “FBI director’s personal email, photos and documents leaked by Iran-linked hackers”. The Guardian. 27 March 2026. ISSN 0261-3077. Retrieved 29 March 2026.
  46. ^ “Iranian hackers allegedly breached FBI Director Patel’s personal emails”. ABC News. Retrieved 28 March 2026.
  47. ^ Short, Joshua (1 April 2026). “Iranian-backed hacker group claims St. Joseph County data breach”. WNDU. Retrieved 17 April 2026.
  48. ^ Kim, John Beomsoo (3 April 2026). “St. Joseph County officials address cyber attack by Iranian-backed hacker group”. WNDU. Retrieved 17 April 2026.
  49. ^ “Iran-linked hackers leak photos of ex-IDF chief Halevi’s work and family life”. The Times of Israel. Retrieved 17 April 2026.