The Iran-linked Handala Hack Team on Friday claims to have hacked the personal email account of FBI Director Kash Patel – a sign of defiance after FBI agents seized the group’s website infrastructure just last week.
-
Iran-linked Handala now claims it hacked FBI Director Kash Patel’s personal email account.
-
The FBI confirmed Patel’s emails were targeted, but says the material was historical and involved no government information.
-
The taunt lands just one week after the FBI seized Handala’s website domains, signaling the group is escalating again.
Handala taunts FBI after seizure
The pro-Iranian hacking collective posted the claim on its brand-new victim blog site Friday, along with what appears to be a personal dossier of images of Patel taken outside his official role as FBI chief.
“Today, once again, the world witnessed the collapse of America’s so-called security legends. While the FBI proudly seized our domains and immediately announced a $10 million reward for the heads of Handala Hack members, we decided to respond to this ridiculous show in a way that will be remembered forever,” the group wrote on its new leak site.
“All personal and confidential information of Kash Patel, including emails, conversations, documents, and even classified files, is now available for public download” Handala claimed, also boasting about the alleged “get” on its now 42nd Telegram channel.
The posted samples include nine personal photos of Patel and an alleged resume belonging to the FBI head.
The conversation on this topic is live. Join in the discussion.
The leaked material included a mix of casual personal photos, showing Patel relaxing and smoking a cigar, posing next to a statue, sitting in a classic car, and taking mirror selfies with a bottle of ultra-premium Cuban rum. One photo shows him in a New York Islanders jacket in an office setting, while another appears to show him in a West Point T-shirt on an airport tarmac.
A Justice Department official confirmed to Reuters that Patel's email had been breached and said the material published online appeared authentic.
FBI spokesperson Ben Williamson also confirmed to Reuters that Patel’s emails had been targeted, but said the data involved was "historical in nature and included no government information," adding that the bureau had "taken all necessary steps to mitigate potential risks associated with this activity."
Additionally, the Gmail address shown in the leaked documents appears to match a personal Gmail address linked to Patel from previous data breaches, according to the dark web intelligence firm District 4 Labs, Reuters said.
Patel files mix personal and work material
The post includes a download link that appears to show a mix of personal and work correspondence dating between 2010 and 2019, the news outlet said after reviewing the material.
“To the whole world, we declare: the FBI is just a name, and behind this name, there is no real security. If your director can be compromised this easily, what do you expect from your lower-level employees?” Handala concluded its post, adding that the Patel hack is “just our beginning….”
Ross Filipek, CISO at Corsica Technologies, says that “depending on what was sitting in the inbox and what it was connected to, even a relatively ‘clean’ inbox can expose contact lists, travel details, and personal context that make future phishing attempts more dangerous.”
Filipek points out that if attackers managed to obtain “account recovery details, saved logins, or anything tied to other services, the blast radius can widen fast without anyone needing to touch classified systems.”
And even if the Patel breach turns out to be more noise than a catastrophe, Filipek says, the hack is still “a clear snapshot of where the conflict is headed on the cybersecurity front.”
Handala widens threats after FBI takedown
On March 19th, Patel and the US Department of Justice announced they had seized four websites tied to the pro-Iranian hacking group, saying the takedown was part of a broader Iranian cyber and psychological operations campaign.
An FBI banner is now parked at those same domain addresses.
Federal prosecutors said the seized infrastructure was used to claim cyberattacks, leak stolen data, dox targets, and post threats against dissidents, journalists, and Israeli-linked individuals – including the devastating March 11th cyberattack on Stryker, a major US medical technology company, among others, allegedly due to its strong ties to Israel.
Stryker makes a range of hospital equipment and provides medical IT services for more than 150 million patients each year.
The attack on Stryker’s global network decimated internal systems tied to its Microsoft environment by exploiting Intune, Microsoft's cloud-based endpoint management system, effectively limiting employee access to business operations, devices, and services.
Although the company announced on Thursday that most systems have been restored, last week, the medtech firm acknowledged that the “disruptions to ordering, manufacturing, and shipping” were causing delays for some patient surgeries.
Meanwhile, Handala, which immediately responded to the FBI takedown, vowing to regroup with a vengeance, created a fresh leak site on Thursday to post threats against US aerospace defense giant Lockheed Martin, leaking sensitive data and threatening the company's engineers, allegedly working on military projects in Israel.
Filipek notes that the wider issue is not just that the personal inbox of FBi Director Kash Patel got breached, “it’s that the fight keeps spilling into the digital perimeter where headlines, pressure, and perception matter as much as pure technical impact.”
“These campaigns are built to signal capability, grab attention, and keep defenders reacting, and that is exactly why cybersecurity has become so relevant in the Middle East conflict,” Filipelk said.
Handala doubles down on Verifone claim as Iran ties sharpen
In another twist to the Handala hack saga, on Friday the group also posted this cryptic message, seemingly related to earlier claims of a successful hack of the payment processing behemoth Verifone, which Verifone representatives have vehemently denied ever taking place.
Headquartered in New York City, with a major presence in Israel, Verifone is used by over 75% of top retailers across more than 150 countries, handling billions of transactions annually.
“There is currently a widespread disruption in point-of-sale systems across chain stores throughout the United States. Further information will be provided later. Responsibility for this cyber breach has been claimed by Handala,” the group wrote on Telegram.
Security researchers at SocRadar say Handala, which has been active since 2023, may be tied to a much older Iran-linked threat cluster, specifically operators known as Void Manticore or Banished Kitten.
Handala has been championing the Palestinian cause since before the onset of Operation Epic Fury, carrying out several notable attacks after the war against Hamas in Gaza began following the October 7th attacks on Israel.
The DoJ said the seized domains were used in cyber-enabled psychological operations also tied to Iran’s Ministry of Intelligence and Security or MOIS, although the group has tried to pass itself off as just another lowly hacktivist group.
Handala's recent campiagn has claimed to have compromised the personal email account of former Mossad research director Sima Shine, leaking more than 100,000 emails.
The hacker collective additionally went after several other high-ranking Israeli intelligence and security officials, allegedly doxxing the identities of multiple senior Israeli Navy officers, as well as targeting the Hebrew University of Jerusalem.
Handala is just one of dozens of pro-Iranian hacker collectives that have mobilized following the February 28th US-Israeli strikes on Iran, with security researchers warning that more attacks could follow.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked