Handala Hack Team
Iran-linked hacktivist organization
From Wikipedia, the free encyclopedia
The Handala Hack Team is hacktivist group supposedly operating from Iran that runs cyberattacks against U.S. and Israeli organizations. It has released personal documents and emails from thousands of individuals, including politicians. It is believed to be a front for Iran's cyberwarfare and thus one of several personas used by the Iranian Ministry of Intelligence to take responsibility for its cyberattacks. The group first appeared in December 2023, following the October 7 attacks.
- Iran
| Formation | 18 December 2023 |
|---|---|
| Type | Hacker group |
| Purpose | Internet vigilantism against the United States and Israel |
| Location |
|
| Methods | Cyberattacks, doxing, email and phone hacking, website defacement, wiper malware |
| Affiliations | Iranian Ministry of Intelligence |
| Website | handala-hack |
During the 2026 Iran war, it was responsible for the wiping attack through Microsoft Intune against Stryker Corporation. It was reported to have been the most significant wartime cyberattack on the United States.[1]
Characteristics
Handala has been described by media outlets as pro-Palestinian, pro-Iranian,[2][3] and anti-Israeli.[4] They have proclaimed themselves as pro-Palestinian vigilantes.[5] In December 2023, the group expressed support for Hamas after IRGC general Razi Mousavi was killed in an Israeli airstrike. In February 2024, while Israel was preparing for the Rafah offensive, Handala stated: "We stood by Rafah", while announcing a defacement campaign targeting Israeli websites.[6]
The group is named after the character Handala, who was drawn by Palestinian cartoonist Naji al-Ali in 1969 and has since been used to symbolize Palestinian identity and resilience.[7] It also uses Handala's image in its online propaganda and cyberattacks.[8]
Western analysts suspect that Handala is linked to the Iranian Ministry of Intelligence (MOIS),[9] with Wired reporting that it is a suspected front for the ministry.[10] The US Department of Justice described Handala as a fictitious identity used by the MOIS to hide its role in "influence operations and psychological scaremongering campaigns".[11]
The FBI said that Handala is run by an MOIS unit responsible for "Justice Homeland" and "Karma Below", two other Iranian intelligence personas.[11] Iran International reported that Handala is linked to the MOIS Domestic Security Directorate and operations under the cyberunit "Banished Kitten", also known as Storm-0842 and Dune.[12] The unit, also known by Void Manticore and Red Sandstorm, is responsible for operating Justice Homeland and Karma Below, who have previously targeted Israel and Albania. Justice Homeland was the most prominent group from mid-2022 to late 2023, when it was overtaken by Handala.[13][14] Banished Kitten was led by Yahya Hosseini Panjaki, also known by Yahya Hamidi, who was sanctioned by the US in 2024.[12] Panjaki was killed during the 2026 Iran war.[15] According to the Irish Examiner, the group was forced to reorganize during the war after two of its most prominent figures were killed.[16]
History
2023
Handala first created accounts on Telegram and X on 18 December 2023, weeks after 7 October attacks. The group first proclaimed itself a "small fighter" of Hamas, before shifting towards broader anti-Israeli messaging.[8]
It was behind HamsaUpdate, a wiper malware campaign targeting Israeli citizens using both Microsoft Windows and Linux systems. The campaign sent out emails to its victims attempting to convince them to download the malware onto their computers. It provoked a warning from Israel's National Cyber Directorate on 19 December.[17][18]
2024
In April, Handala claimed that it hacked Iron Dome and radar systems and sent 500,000 texts to Israelis.[7] On 15 June, the group conducted a ransomware attack on kibbutz Ma'agan Michael, seizing 22 gigabytes of data and sending 5,000 false SMS warning messages.[6] In the same month, it also sent SMS messages to residents in Ma'ale Yosef Regional Council, along with a malware app disguised as MyCity that gave Handala further access to devices that downloaded it.[19] On 21 June, the group claimed without evidence on Telegram that it had targeted "thousands of Zionist organizations". On 20 July, in the wake of the CrowdStrike-related IT outages, Handala distributed emails containing wiper malware masked as a PDF file containing instructions on how to fix the issue.[20][19]
Since September, Handala began a number of hacks targeting the emails of Israeli politicians. By November, the group leaked 110,000 emails from former Israeli prime minister Ehud Barak, 60,000 emails from former IDF chief of staff Gadi Eisenkot, 50,000 emails from ambassador to Germany Ron Prosor, and 2,000 photos and 35,000 emails from former defense minister Benny Gantz.[19] That same month, the group hacked into Vidisco, claiming it had discovered a "backdoor" in security scanners that enabled the explosives used in Israel's pager attack in Lebanon to pass unnoticed.[21] On 30 September, Handala said that it seized 197 gigabytes of data from the Soreq Nuclear Research Center in response to the killing of Hezbollah leader Hassan Nasrallah. The group targeted Sheba Medical Center three months prior, seizing data from a biotechnology corporation.[22]
On 3 October, Handala hacked into the Shin Bet's security system, stealing confidential information from around 30,000 officers. On 6 October, it leaked 300 GB of confidential information from Israeli Industrial Batteries, which provides services to Israel's military. On 8 October, Handala leaked 1.5 TB of data from Max Shop, a service used by over 9,000 Israeli stores, leaking financial transactions and customer data. On 28 October, it conducted a cyberattack on Israeli cybersecurity provider AGAS, compromising 74 of its servers.[19]
On 3 November, Handala hacked servers in El'ad, leaking more than 3 TB of data, including personal data from residents, and impacting municipal services.[19] On 12 November, Handala leaked photos allegedly seized from the phones of senior Israeli officials, including Benny Gantz and Natan Sharansky. One photo depicted Gantz topless in bed beside a woman. The group also posted 30 images taken at Soreq and the names of scientists working on its particle accelerator.[23] On 24 November, the group claimed that it seized documents containing the names of hundreds of Mossad operatives in response to the killing of Hamas leader Yahya Sinwar.[24]
2025
On 27 January 2025, Handala targeted Maager-Tec public address systems of at least 20 kindergartens in Israel, playing Arabic messages, anti-Israeli songs, and rocket sirens.[25][26] In May, Ehud Barak's email inbox was published by Distributed Denial of Secrets after being leaked by Handala, revealing an invitation to Barak by Jeffrey Epstein to a dinner with Peter Thiel in May 2014. Barak said he could not make it, although Epstein insisted on Barak meeting Thiel and offered to set up another meeting the next month.[27] On 8 July, the group said that it accessed server infrastructure belonging to Iran International, and released photos of government IDs and other personal information belonging to five of its staff. The following day, it claimed that it received information on thousands of people linked to the outlet, and later published the personal details of several journalists on Facebook.[28]
In November, it was reported that Handala obtained and leaked emails written between the 2000s and 2018 between Palantir co-founder Peter Thiel and top Israeli officials, such as Ehud Barak and Benny Gantz, who expressed interest in gaining access to his company.[29] On 29 November, the group said it left a bouquet of flowers inside of the car of a senior Israeli nuclear scientist, and also published personal information belonging to alleged Unit 8200 members.[30]
On 16 December, the group claimed it released details on 13 designers of defense systems such as the Arrow and David's Sling, and offered a $30,000 bounty for more information on the Israeli military industry.[9] On 18 December, Handala said that it hacked the phone of former Israeli prime minister Naftali Bennett, publishing his chat messages and 141-page list of his contacts. Bennett said that only his Telegram account was breached.[31] On 28 December, the group said that it hacked into the iPhone of prime minister Benjamin Netanyahu's chief of staff, Tzachi Braverman, as part of its "Bibi Gate" operation. The group threatened to release files from the phone, including phone numbers linked to senior officials, but a breach was denied by the Prime Minister's Office.[32]
2026
On 3 January, Handala published 60 photos and videos from Ayelet Shaked's phone.[33] On 8 January, it claimed that it had surveilled a senior Mossad operative behind covert operations in Iran, and released videos allegedly shot outside their home.[34] On 25 February, the group said that it hacked into Clalit Health Services and released medical information from over 10,000 patients.[35]
Iran war
On 3 March, Handala put a $250,000 bounty for the beheadings of Iranian-Canadian activist Goldie Ghamari and Iranian-American lawyer Elica Le Bon, claiming it had leaked their home addresses to the Jalisco New Generation Cartel.[36]
On 11 March, Handala claimed a cyberattack against the Michigan-based medical technology manufacturer Stryker Corporation, which serves 150 million patients. The attack affected devices that were connected to Microsoft Windows, disrupting much of the company's global operations, such as order processing, manufacturing, and shipping and forcing tens of thousands of employees to be sent home.[37][1] The company said on 26 March that it had largely recovered from the cyberattack.[38] Handala said that it destroyed over 200,000 of Stryker's systems and devices across 79 countries in response to the Minab school attack that reportedly killed at least 170 people.[39][40] It was reported to have been the most severe Iranian wartime cyberattack against the US in history.[1] Also that day, Handala hacked the Academy of the Hebrew Language website, replacing it with its logo and the message: "There is no need to learn Hebrew anymore. You won’t need it for much longer."[41]
On 19 March, the Federal Bureau of Investigation (FBI) took down Handala's website, which was used to document its activities. A backup website and two others linked to Iran's cyber operations were also shut down. Handala's X account was also banned.[42] The following day, Handala restored its website.[43] On 27 March, Handala said that it hacked the personal email of FBI director Kash Patel, publishing more than 300 emails, as well as his photos and alleged resume.[44][45] Most of the emails released by the group were dated before 2019, before Patel was appointed director of the FBI. Following the hack, the Rewards for Justice Program offered up to $10 million in exchange for the identification of the Handala group.[46]
