Inside Handala’s Hack on the FBI Director

The digital battlefield is heating up, and this time, the crosshairs have landed on one of the highest-ranking law enforcement officials in the United States. In a brazen move that blends cyber espionage with psychological warfare, the hacktivist group known as “Handala” recently breached the personal email account of FBI Director Kash Patel.

But who exactly is Handala, what did they uncover, and what else have they been up to in the shadows of the internet?

Who is the Handala Group?

To understand the attack, we first have to understand the attackers. Handala (also known as Handala Hack Team) emerged on the scene in December 2023, shortly after the outbreak of the war in Gaza. The group presents itself as a grassroots, pro-Palestinian hacktivist collective. Their name and logo are borrowed from “Handala,” the iconic barefoot refugee boy created by Palestinian political cartoonist Naji al-Ali in 1969, which symbolizes resistance and defiance.

Handala Hack Dark Web Profile

However, cybersecurity experts and threat intelligence vendors have a very different assessment.

Handala is believed to be a state-backed cyber persona operated by Iran’s Ministry of Intelligence and Security (MOIS). Known by security researchers under various aliases like Void Manticore, Storm-0842, or Banished Kitten, the group acts as a deniable front for Iranian intelligence to execute disruptive cyberattacks, data leaks, and psychological influence campaigns.

The Breach of the FBI Director

On March 27, 2026, Handala made global headlines when they announced they had successfully hacked the personal Gmail account of FBI Director Kash Patel. On their website, the group gloated that Patel “will now find his name among the list of successfully hacked victims”.

To prove their claims, Handala released a sample of more than 300 emails, alongside personal photographs and a resume. The leaked images show Patel posing in front of a mirror with a bottle of rum, smoking a cigar, and standing beside an antique sports convertible.

Patel standing beside an antique sports convertible

While a hack on the FBI Director sounds catastrophic, the fallout is somewhat contained. The FBI quickly confirmed the breach of Patel’s personal email but clarified that the compromised data was “historical in nature and involves no government information”. The majority of the leaked emails and documents date back to between 2010 and 2019, long before Patel was appointed as the head of the bureau.

Why Patel? The attack appears to be a direct retaliation. On March 19, 2026, the FBI seized four domains used by Handala for terrorist propaganda and hacking operations. Additionally, the U.S. government announced a massive $10 million reward for information leading to the identification of the group’s members. In response, Handala claimed the hack on Patel was payback for the domain seizures and the bounty, as well as a retaliatory measure for a U.S.-Israeli strike on an Iranian school.

Twitter post related to the reward for group’s members

If you have any information about Iranian malicious cyber actors, including “Parsian Afzar Rayan Borna”, “Hanzalah Hacking Group”, or other individuals and groups associated with them, please contact us and send us information such as their names, virtual personas, and locations.

A Trail of Digital Destruction: Other Recent Handala Hacks

The breach of the FBI Director is just one piece of a much larger, highly destructive puzzle. Handala has been incredibly active throughout early 2026, executing a series of high-profile cyberattacks:

• The Stryker Corporation Wipe: On March 11, 2026, Handala executed what is considered one of the most severe Iranian wartime cyberattacks against the U.S. in history. By hijacking compromised Global Administrator credentials in Microsoft Intune, Handala bypassed traditional malware entirely and used legitimate administrative tools to factory-reset and wipe over 200,000 systems, servers, and mobile devices across 79 countries belonging to the medical device giant Stryker.

• Doxxing Lockheed Martin Engineers: In a chilling psychological operation, Handala doxxed 28 Lockheed Martin engineers working on military projects in Israel. The group leaked their passport details, IDs, and residential addresses, threatening that the engineers’ homes would become “missile targets” and claiming they had “friends in the US” who would visit the engineers’ families if they didn’t leave Israel within 48 hours.

• Targeting Israeli Infrastructure and Officials: Handala has relentlessly targeted Israeli institutions. They hijacked public address systems in over 20 Israeli kindergartens to broadcast air raid sirens and threatening Arabic messages. They also claimed to have stolen nearly 200 gigabytes of data from the Soreq Nuclear Research Center and breached the servers of the Institute for National Security Studies (INSS), leaking correspondence from senior Israeli intelligence figures.

• Telegram Session Hijacking: Handala previously claimed to have completely compromised the iPhones of former Israeli Prime Minister Naftali Bennett and the current Prime Minister’s chief of staff. However, security researchers revealed this was not a sophisticated iPhone hack, but rather a “session hijacking” of their Telegram desktop accounts, which allowed the hackers to access contacts and cloud chats.

Iran–Israel/US War 2026: Live Cyber Attack Dashboard

As the geopolitical conflict between Iran and Israel spills over into the digital realm, tracking the rapid evolution of state-sponsored cyberattacks has never been more critical. For security teams and analysts looking to stay ahead of these threats, SOCRadar offers a Iran–Israel/US War 2026: Live Cyber Attack Dashboard that tracks the full spectrum of Iranian cyber activity, providing analyst-vetted assessments to separate verified intelligence from the noise of daily propaganda

Conclusion

The Handala group perfectly illustrates the terrifying evolution of modern cyber warfare. By operating under the guise of grassroots hacktivism, Iranian state-backed actors are launching attacks that blur the lines between data theft, psychological intimidation, and outright digital destruction. From erasing hundreds of thousands of corporate devices worldwide to doxxing defense engineers and leaking the personal photos of the FBI Director, Handala’s operations are designed to humiliate adversaries and inflict maximum operational chaos.

As global geopolitical tensions continue to spill into cyberspace, the message Handala is sending is clear: whether you are a global corporation, a defense contractor, or the head of the FBI, your digital life is on the front lines.