6 Things To Know About Handala — Tehran’s Hackers Making Front Page News

U.S. law enforcement confirmed on March 27 that Iranian hackers operating under the name Handala compromised the FBI director’s personal email. The group claims to be an independent, pro-Palestinian hacktivist collective but instead serves as a front for Iran’s Ministry of Intelligence and Security (MOIS). Handala has mounted attacks against Israel and other countries since December 2023, increasingly targeting American victims since U.S.-Israeli airstrikes against Iran began on February 28.

1. Handala increasingly targets American companies.

In early March, Handala attacked Stryker, a Michigan-based medical technology company that produces hospital equipment used by more than 150 million patients worldwide. The attack reportedly deleted data from over 200,000 employee devices across 79 countries. The attack reportedly disrupted Stryker’s business operations and forced some hospitals to postpone surgeries. Handala framed it as retaliation for a U.S. missile strike on an Iranian school.

Two weeks later, Handala published the alleged personally identifiable information (PII) of 28 engineers working in Israel for the Maryland-based defense contractor Lockheed Martin. Publishing both names and home addresses, the group claimed to have contacted these individuals directly, warning them they will be targeted with missile strikes if they do not leave the Jewish state.

2. Handala is one of multiple front groups operated by Iran’s MOIS.

According to the Department of Justice, Handala is one of several hacktivist personas run by Iran’s MOIS. Like the Islamic Revolutionary Guard Corps (IRGC), MOIS uses front groups because they provide plausible deniability, hiding the Islamic Republic’s hand in online operations and potentially shielding the regime from retaliation. Further, Handala’s manufactured personas are disposable if the group is indicted or sanctioned.

3. Handala leverages the weak cyber hygiene of their targets.

Handala’s attacks have not relied on sophisticated capabilities. To compromise FBI Director Kash Patel’s personal email, the group likely relied on usernames and passwords stolen in old, unrelated data breaches that were discoverable in publicly available breach databases.

Unable to compromise sensitive networks at will, these hacktivist personas focus on targets of opportunity. Iran likely has no strategic interests in hacking a medical company like Stryker, but rather took advantage of access to an exposed organization.

4. Handala honed its tactics against Israel before turning them against America.

Handala has brought the same tactics it honed against Israel to target American citizens and companies. Before compromising Director Patel’s email, Handala likely used the same or similar methods to hack the personal phone of Israeli politician Naftali Bennett and other Israeli senior officials in December 2025. Before doxxing Lockheed Martin employees, Handala scraped information from LinkedIn profiles to threaten Israelis working in the defense industry. Pro-regime hackers also compiled breach data and publicly available social media information to create dossiers on Israeli air force pilots, threatening them with online and physical harassment.

5. Handala exaggerates its impact for psychological effect.

Handala, like other Iranian cyber threat actors, exaggerate the operational impact of its attacks. For example, IRGC-front group Cyb2rAv3ngers repurposed old information to fabricate a story that the group had compromised Israel’s electricity grid. The attack never occurred but the lie fooled Western media outlets and even some threat analysts, successfully sowing fear about the scale of Iran’s cyber prowess.

6. The U.S. should target the hosting companies that enable Handala — not just the domains they hide behind.

Following Handala’s attack on Stryker, the Justice Department seized domains used by Handala and other MOIS front groups to publish stolen data and conduct operations. The FBI also published an advisory on how some Iranian threat actors, including Handala, conduct their operations, and the State Department issued a $10 million reward for any information leading to the arrest of the operators behind Handala and other Iranian cyber fronts. However, Handala quickly rebuilt new versions of the seized infrastructure.

Iranian actors can easily reregister domains and set up new accounts, either directly or through criminal services that mask their infrastructure. The Treasury Department has sanctioned some of the bulletproof hosting companies that enable these operations, but has not targeted enough of the internet infrastructure and financial networks that underpin Handala and other regime front groups.

Ari Ben Am is an adjunct fellow at the Center on Cyber and Technology Innovation(CCTI) at the Foundation for Defense of Democracies (FDD), where he focuses on emerging threats, influence and information operations, cyber operations, and hybrid warfare. Ethan Sheinker is an intern at CCTI. For more analysis from the authors and FDD, please subscribe HERE. Follow FDD on X @FDD, @FDD_CCTI, and @FDD_Iran. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.