In less than a day, the Iran-linked hacktivist group Handala claims attacks on two multinational US companies – the electronic payments giant Verifone and the major medical technology company Stryker, both of which have strong ties to Israel. Verifone on Thursday denied the breach claims.

Handala is just one of dozens of pro-Iranian hacker collectives mobilizing following the February 28th US–Israeli strikes on Iran, with security researchers warning that more attacks could follow.

The Handala Hack Team on Wednesday posted on its Telegram channel and dark leak site that it carried out the alleged attacks in "direct response to the ongoing cyber assaults against the infrastructure of the Axis of Resistance."

Handala claims attacks on Verifone

“This attack is a decisive and direct response to the Zionist regime’s airstrikes targeting banking infrastructure, making it clear that every blow will be met with an even greater response,” the hackers wrote in the Verifone post.

“Today, we could have taken entire countries offline, but for now, this operation serves as a serious warning,” the group wrote, alongside several leak samples and a threat to “all governments, corporations, and especially those so-called ‘friendly’ nations" to cut ties with the warring allies.

Headquartered in New York City, with a major presence in Israel, Verifone is used by over 75% of top retailers across more than 150 countries, boasting that it handles billions of transactions every year, according to its website.

The group's post did not say how much data, if any, it may have stolen in the breach, and as of Wednesday, the Verifone website appears to be loading normally.

“Verifone has found no evidence of any incident related to this claim and has no service disruption to our clients."

– Verifone statement sent to Cybernews. March 11, 2026.

In a statement sent to Cybernews on Thursday, Verifone flat-out denied any network interruptions in connection with the Handala Hack claims.

“Verifone closely monitors the security and integrity of its systems worldwide. We have observed recent allegations on March 11, 2026, from threat actors claiming an intrusion into our systems in Israel,” the global payment service provider (PSP) said.

“Verifone has found no evidence of any incident related to this claim and has no service disruption to our clients," the statement concluded.

Still, after examining Handala's sample files, one apparent security researcher on X added a bit more context in a post describing the documents in details.

The screenshots “show access to Verifone’s Retail 360 (R360) payment management environment, a backend platform used to administer and monitor point-of-sale terminals,” said X user Thomas Keith, a self-proclaimed "ghost in the machine."

“Several panels display merchant dashboards written in Hebrew along with Israeli retail entries, indicating the environment is tied to a Verifone deployment serving Israeli merchants and payment terminals,” he writes.

Keith’s post – which has been making the rounds on social media – lists exposed terminal identifiers, hardware metadata, Windows server access, internal network paths, and “Remote Requests” monitoring screens, among others.

“Penetration at this level exposes the administrative control plane that coordinates thousands of terminals rather than a single merchant endpoint,” Keith states.

Stryker discloses hit, adding to alarm

Earlier Wednesday, Handala also said it was responsible for a massive cyberattack against the med-tech behemoth, the Stryker Corporation, as payback for "for the brutal attack on the Minab school," killing more than 170 people, including many young school girls.

The strikes are now being blamed on the US, The New York Times reported Thursday, due to outdated intelligence, although the military investigation is still ongoing.

Stryker makes a range of hospital equipment and provides medical IT services for more than 150 million patients each year.

The Michigan-based company said in an 8-K filing with the US Securities and Exchange Commission (SEC) Wednesday that the cyberattack "resulted in a global disruption to the Company's Microsoft environment," with Handala further claiming that its attack "forced Stryker offices in 79 countries to be shut down."

Staff and contractors reported seeing what appeared to be the logo of the pro-Iranian hacking group displayed on internal login pages, and media have reported the company was forced to send home 5,000 workers from its massive hub in Ireland due to the system outages.

"In this operation, over 200,000 systems, servers, and mobile devices have been wiped and 50 terabytes of critical data have been extracted," Handala wrote on the victim blog site.

Employees were also quoted in the Irish Examiner that "anyone with Outlook on their personal phones had their phones wiped," and staff were now “communicating through WhatsApp groups for updates on when they can return to work.”

In addition to the mess in Ireland, healthcare providers in the US struggled to order surgical supplies through Stryker on Wednesday, KrebsOnSecurity reported.

The disruption also affected Stryker’s Lifenet tech platforms, which emergency responders use to send patient data to hospitals, forcing at least one statewide EMS system to revert to radio communications, according to AOL.

Stryker said it has no evidence of ransomware or malware and believes the incident has been contained, yet also noted that the timeline for full restoration remains unknown.

Flashpoint CEO Josh Lefkowitz says the Stryker attack highlights a troubling shift in destructive cyber operations.

“Rather than targeting hospitals or frontline healthcare providers directly, adversaries may focus on critical suppliers and logistics providers where disruption can cascade across the entire healthcare ecosystem,” Lefkowitz explains.

“A single intrusion at a key node in the supply chain has the potential to create widespread operational impact far beyond the initial target,” he adds.

Stryker has provided multiple website updates for customers of LifePak and other medical services on Thursday, stating that devices and systems are operating normally.

Researchers warn cyber retaliation risks rising

In recent weeks, analysts have warned that Iranian cyber actors could escalate operations targeting Western companies and critical infrastructure as tensions in the region continue to rise.

A Sophos advisory issued on March 2nd says proxy-fueled attacks could include website defacements, distributed denial-of-service attacks, ransomware, destructive “wiper” malware, hack-and-leak operations, and credential-based attacks such as phishing and password spraying.

Days later, the Iranian state-backed hackers known as Seedworm were found already lurking inside US-Israeli critical networks.

Seedworm – also known as MuddyWater – is a long-running Iranian threat group associated with espionage campaigns and covert access to corporate and government networks.

The Iranian-linked APT (advanced persistent threat) is alleged to have maintained access to multiple organizations since early February, according to a threat intelligence report by Symantec and Carbon Black.

Recent intrusion attempts have been observed across several critical sectors, including finance, aviation, technology, and nonprofit organizations in North America.

Handala, which has been active since 2023, is one of several hacker groups researchers say have increased cyber activity during the recent escalation.

“Tracking Handala over the past year, the group has done an effective job presenting itself as a grassroots resistance movement. However, the tactics and targeting we observe are far more consistent with activity linked to Iranian state actors than with independent hacktivism,” said Kathryn Raines, Threat Intelligence Lead for the National Security Solutions Team at Flashpoint.

“What makes the Stryker incident particularly concerning is the apparent use of enterprise management infrastructure – potentially weaponizing Microsoft Intune – to carry out destructive activity at scale,” Raines pointed out.

According to Flashpoint intelligence, the Islamic Revolutionary Guard Corps (IRGC) on Wednesday specifically named several US tech giants as targets due to their Israeli ties or cloud services, including cloud providers: Amazon (AWS), Google, Microsoft, Oracle, and IBM.

Because it's unclear what the IRGC's current capabilities are, it is entirely possible that those threats were made as an indirect call to pro-Iranian groups, like Handala, to focus on hacking those big-name targets.

Other groups cited to have stepped up activity include CyberAv3ngers, Soldiers of Solomon, Cyber Toufan, and Dark Storm Team, alongside loosely affiliated collectives such as Mysterious Team Bangladesh, Anonymous Arabia, and the pro-Russian DDoS group NoName057(16).

Analysts warn that already compromised networks could potentially be used for disruptive, destructive, or intelligence-driven cyber operations if tensions continue to escalate.

---

Unlock more exclusive Cybernews content on YouTube.