Handala Claims It Disrupted Israeli Radar Systems: Here’s What We Actually Know

On the same day that Iran and Israel traded missile strikes in their most serious exchange since the April ceasefire, an Iranian-linked hacker group called Handala posted a series of messages on Telegram claiming it had launched crippling cyberattacks against Israeli military and civilian targets. The claims include “widespread and targeted signal disruption” of Israeli radar systems and a “cyber siege” on the Kfar Yona municipality in central Israel.

The war that started in February

On February 28, 2026, the United States and Israel launched Operation Epic Fury, a massive joint airstrike campaign targeting Iran’s military infrastructure, government buildings, and nuclear-related facilities. The strikes killed Supreme Leader Ali Khamenei and several top officials. Iran fired back with missiles and drones aimed at Israel, US military bases, and US-allied countries across the Gulf. It also closed the Strait of Hormuz, sending shockwaves through global energy markets.

What followed was weeks of devastating tit-for-tat strikes. Iran hit targets in the UAE, Saudi Arabia, Qatar, Kuwait, Bahrain, Iraq, and Jordan. Hezbollah opened a second front from Lebanon, prompting Israeli bombardments that killed hundreds of Lebanese civilians.

The ceasefire and its limits

On April 8, Pakistan brokered a fragile but working two-week ceasefire between the United States and Iran, ending roughly 40 days of fighting.

Israel and Iran immediately disagreed on whether Lebanon was included. Hours after the ceasefire announcement, the IDF launched what it called its “most powerful attacks” on Lebanon, killing at least 357 people. Netanyahu said the truce did not extend to his war against Hezbollah. Pakistan, Iran, and Hezbollah said otherwise.

A separate US-brokered Israel-Lebanon ceasefire followed on April 16. Iran briefly reopened the Strait of Hormuz during the truce but closed it again the next day after the US refused to lift its naval blockade. Talks continued through April and May, mediated by Pakistan, but a lasting deal remained out of reach.

The ceasefire held in a tense, qualified way for about two months. Both sides tested its boundaries without collapsing it entirely.

June 7: the ceasefire cracks open

The sequence that unraveled the ceasefire began on Sunday, June 7, when Hezbollah fired projectiles toward northern Israel and Israel responded with airstrikes on Dahiyeh. Lebanon’s health ministry reported two killed and twenty wounded. The operation went ahead despite Washington having urged Israel, days earlier, to refrain from striking Beirut. A senior US official told reporters that the administration “was not surprised” by the attack but would not confirm whether it had received advance notice.

Iran had stated repeatedly that any Israeli strike on Beirut would trigger a full-scale regional response. That evening, the IRGC launched missiles toward Israel for the first time since the April ceasefire took effect.

In a statement to The New York Times, the IRGC said the ceasefire “was conditional on a ceasefire on all fronts” and called the operation “a warning,” adding that “if aggressions are repeated, the responses will be broader.” Israel struck back within hours, hitting targets in Tehran, Tabriz, and Isfahan.

Handala’s claims surface

Against this backdrop, the Handala Hack Team posted four messages to its Telegram channel, opened with “In the name of God, the Breaker of Tyrants” in Arabic. Five minutes later came the main statement: “Today marks the beginning of the end. Handala invites you to witness the most devastating cyberattacks targeting the enemy’s military and vital infrastructure, and this is only the first warning.”

The message threatened every country that supports Israel, saying “no land is too distant, no server is safe, and no network is out of reach.”

The group claimed that “at this very moment, the radar systems of the Zionist regime are experiencing widespread and targeted signal disruption by Handala’s team.”

Handala then shifted to a governmental target, claiming the Kfar Yona Municipality was “under Handala’s cyber siege, drowning in a storm of digital paralysis and information chaos.”

Why the radar claim should be treated with caution

First, the evidence shared so far does not support it. For the radar claim specifically, Handala posted no proper details.

The group did share a couple of screenshots on its Telegram channel, but these show the IVR (Interactive Voice Response) admin panel of a system consistent with the Tadiran Telecom Aeonix system, an Israeli-made VoIP and unified communications platform widely deployed in various organizational environments. The screenshots display a sample auto attendant call-routing script with the default language set to Hebrew and several Hebrew-language entries in the sidebar.

This is consistent with access to a municipal phone system (Kfar Yona claim), but it has nothing to do with military radar infrastructure.

Second, the claim is sourced entirely from one side of an active conflict.

Third, there is no Israeli response. The Israel National Cyber Directorate, the IDF, and Israeli media have not acknowledged the radar claim, but this pattern is consistent with how Israel has handled previous Handala statements.

Fourth, the timing and language are designed for maximum propaganda impact. Claiming radar disruption while actual missiles are flying serves a narrative purpose: it suggests that Israel’s defenses are being degraded from both the physical and digital fronts simultaneously. Whether that is true is a separate question from whether it is useful messaging for Tehran.

Fifth, and most fundamentally, Handala has made this exact type of claim before and been caught fabricating evidence.

The claim also sits awkwardly between the two purposes it could serve. If the goal were propaganda, Handala would have every reason to publish detailed evidence of a radar breach, the way it did with the Stryker wiper attack, where employees saw the Handala logo on their own screens. Unverified statements carry far less weight as psychological operations than screenshots of military systems.

If the group had genuinely penetrated Israeli radar infrastructure for intelligence purposes, announcing it on Telegram would be operationally reckless. The fact that Handala went public with the claim but provided nothing to back it up fits neither scenario cleanly.

There is also the question of how Iran has actually approached the problem of Israeli air defenses throughout this conflict, and the answer has very little to do with cyber operations.

Since the war began, Iran has fired over 1,000 ballistic missiles at Israel, roughly half of which carried cluster warheads dispersing 20 to 80 submunitions each, according to a JINSA report titled ‘The Eroding Shield.’ These submunitions are specifically designed to complicate interception: they separate at high altitude, generating dozens of independent tracks that force fire-control systems to evaluate each one individually, consuming interceptor rounds on fragments rather than primary warheads. The same report indicated the IDF at times chose not to intercept certain incoming missiles in order to conserve Arrow interceptors.

This is a military problem being addressed through military means: volume, timing, warhead design, and deliberate exploitation of interceptor economics. Against that backdrop, an unverified Telegram post claiming ‘signal disruption’ of radar systems looks less like a complementary cyber operation and more like a group attaching itself to events it had no hand in shaping.

The bigger picture

Whatever the truth of the radar claim, the broader context is real. Iran’s cyber operations have escalated sharply since the war began on February 28.

Handala has conducted hundreds of documented operations, and its confirmed capabilities include credential theft, abuse of legitimate enterprise management tools, destructive wiper malware, and hack-and-leak campaigns. The DOJ attribution, the FBI domain seizures, and the Stryker SEC filing all point to a group that is real, state-affiliated, and operationally active.

Cyber operations in this conflict function as an extension of the kinetic battlefield, and there is no indication that either the physical or digital front is approaching a resolution. As long as missiles continue to fly between Iran and Israel, groups like Handala will continue to time their claims to coincide with real-world strikes. More attacks and more unverified claims should be expected in the days ahead.