The FBI on Thursday seized four websites tied to Handala, the pro-Iranian hacking group behind last week’s cyberattack on medtech giant Stryker that disrupted hospital operations, saying the takedown was part of a broader Iranian cyber and psychological operations campaign.

An FBI banner announcing the seizure is now parked at the same domain address handala-hack[.]to where the group's victim blog was loading without issue just hours earlier. A second domain, handala-redwanted[.]to, was also seized.

"The United States Government has taken control of this domain to disrupt ongoing malicious cyber operations and prevent further exploitation. The services or infrastructure previously accessible through this domain are no longer available," the FBI notice states.

The US Department of Justice (DoJ) later said the takedown was carried out under a court-authorized warrant issued by the US District Court for the District of Maryland, apparently based on an FBI undercover operation carried out by Maryland agents last March, in connection with a 2022 cyberattack on the Government of Albania and the nefarious doxxing of two US defense company executives in 2024.

“Individuals or entities who knowingly participate in, assist with, or attempt to restore infrastructure used in support of foreign state-sponsored cyber operations may be subject to criminal prosecution, sanctions, or other legal action under applicable United States law, including statutes related to computer intrusion, fraud, and/or conspiracy and material support to hostile foreign operations,” the FBI notice further states.

Although not naming Stryker directly, the DoJ said one of the seized Handala domains was used to claim credit for "the March 2026 destructive malware attack against a US-based multinational medical technologies firm.”

DOJ ties seizure to Iran cyber operations

A Justice Department press release issued Thursday said the takedown was part of a broader operation against four domains allegedly used by the Islamic Republic’s Ministry of Intelligence and Security (MOIS) for hacking, psychological operations, and transnational repression – not just the two Handala-linked sites first seen displaying the FBI seizure banners.

The DoJ said the operation targeted four domains – Justicehomeland[.]org, Handala-Hack[.]to, Karmabelow80[.]org, and Handala-Redwanted[.]to.

Federal prosecutors said the infrastructure was used to claim cyberattacks, leak stolen data, dox targets, and post threats against dissidents, journalists, and Israeli-linked individuals.

“Iran thought they could hide behind fake websites and keyboard threats to terrorize Americans and silence dissidents,” said US FBI Director Kash Patel. “We took down four of their operation’s pillars and we’re not done.”

This seizure, according to the agency, is part of a continuing FBI operation to identify, disrupt, and hold accountable those responsible for hostile cyber activities directed against the United States, its institutions, and its partners.

“Iran, the leading state sponsor of terrorism worldwide, used the seized domains to dox and harass dissidents and journalists, incite violence against Jewish communities, and spread Tehran’s anti-American propaganda,” said US Assistant Attorney General for National Security John A. Eisenberg.

Handala responds, but the comeback stalls

Meanwhile, the hacktivist group has already responded to the FBI action on its latest and 41st Telegram channel in a message titled: “Statement from Handala Hack: Our Domain Seized, Our Mission Unstoppable,” referring to itself as the “voice of the voiceless.”

“To all freedom seekers around the world,

Today, in a desperate attempt to silence our voice, the FBI, acting on the orders of a US Federal Court, has seized and taken down the official Handala Hack domain. This act of digital aggression only serves to highlight the fear and anxiety our actions have instilled in the hearts of those who oppress and deceive.

They may have taken down our website, but they will never take down our spirit, our resolve, or the power of truth,” Handala said.

The group also posted the seized domain addresses, which now point to FBI-controlled nameservers.

In another Telegram message, the hacker cartel also said it was establishing new infrastructure, posting a new web address for its followers.

“In light of recent events and the need to establish secure and resilient infrastructure, we inform you that building a new digital base is a complex and time-consuming process,” Handala wrote.

But it appears the group may have spoken too soon, as when Cybernews checked Handala’s replacement domain, it redirected us back to the same FBI seizure notice.

The US DoJ said the four seized domains were linked through shared leak sites, Iranian IP ranges, and a common operational “playbook” that included destructive and disruptive cyberattacks as well as “faketivist” psychological operations using data stolen via hacking.

How Handala got here

The FBI takedown lands after a volatile stretch of claims from Handala, which in recent days has been at the center of an escalating pro-Iran cyber campaign targeting US and Israeli-linked organizations.

The group, which first appeared in late December 2023, first drew attention this month after claiming attacks on Verifone and Stryker, two major US companies it framed as retaliation targets because of their ties to Israel.

According to researchers at SOCRadar, Handala Hack “is a destructive threat actor combining wiper attacks with hack-and-leak operations for maximum psychological impact,” echoing the DoJ’s description in Thursday’s release.

The DoJ said the seized domains were used in cyber-enabled psychological operations also tied to Iran’s Ministry of Intelligence and Security or MOIS.

Backed by the Islamic Republic’s Ministry of Intelligence and Security (MOIS), the state-aligned group commonly targets the medtech, education, finance, and government sectors, SOCRadar states.

Handala, widening its campaign over the past week, claims to have compromised the personal email account of former Mossad research director Sima Shine, leaking more than 100,000 emails.

The hacker collective additionally went after several other high-ranking Israeli intelligence and security officials, allegedly doxxing the identities of multiple senior Israeli Navy officers, as well as targeting the Hebrew University of Jerusalem.

Meanwhile, Verifone denied to Cybernews there was evidence of compromise, but the Stryker incident has quickly become harder to ignore as the fallout spreads.

Stryker later confirmed the March 11th breach had disrupted internal systems tied to its Microsoft environment, limiting access to parts of its business operations, devices, and services.

Handala, in several taunting posts, claimed it had wiped an “unprecedented” 12 petabytes of Stryker data using the company’s own Microsoft software and posted what it said were file samples showing access to backups, security systems, data protection tools, AWS and Azure-related assets, Rubrik Secure Vaults, medical product schematics, and invoices.

The company on Wednesday revealed the attack has now delayed some surgeries due to a backlog of order processing, manufacturing, and shipments, including deliveries of custom patient implants.

Stryker, which said over the weekend that the incident is now contained, has been focused on streamlining the restoration process, as the investigation remains ongoing.

At the same time, the US Cybersecurity and Infrastructure Security Agency (CISA) has issued a new advisory, urging US organizations to immediately harden Microsoft environments to prevent further attacks.

The CISA warning says attackers may be actively targeting Microsoft endpoint management systems, the same ecosystem Handala had compromised in its Stryker attack.

Checkpoint researchers says Handala operators may be tied to a much older Iran-linked threat cluster, possibly dating back to around 2008, specifically threat actors known as Void Manticore or Banished Kitten.

Handala, which has been championing the Palestinian cause since before the onset of Operation Epic Fury, has carried out several notable attacks after the war against Hamas began following the October 7th attacks on Israel, including the targeting of several London journalists working for Iran’s only independent media outlet, Iran International.

---

Unlock more exclusive Cybernews content on YouTube.