Iran's Cyber War Comes Home: How Handala Hacked the FBI Director's Email

What Happened

On Friday, March 27, 2026, a hacker group called the Handala Hack Team published personal photographs and a sample of more than 300 emails purportedly stolen from the personal Gmail account of Kash Patel, the Director of the Federal Bureau of Investigation. The photographs showed Patel at various locations — smoking and sniffing cigars, riding in an antique convertible, taking a selfie next to a bottle of liquor, and posing in what appeared to be restaurants and hotels, according to Reuters and BBC.

The FBI confirmed the breach. Bureau spokesman Ben Williamson said in a statement that "we have taken all necessary steps to mitigate potential risks associated with this activity" and that the data involved was "historical in nature and involves no government information."

Alongside the photographs, Handala published what they described as a sample of emails dating between 2010 and 2019. Reuters was unable to independently authenticate the messages, but noted that the personal Gmail address Handala claims to have accessed matches an address linked to Patel in previous data breaches preserved by the dark web intelligence firm District 4 Labs. Google did not respond to Reuters' request for comment.

Handala posted a statement on its website reading: "This is just our beginning." The group said Patel "will now find his name among the list of successfully hacked victims."

The FBI is offering up to $10 million for information that helps identify members of the Handala group, according to BBC.

Friday's publication was not the first time Iranian hackers targeted Patel's communications. NBC News and CNN reported that in late 2024 — weeks before Patel was confirmed as FBI director — US officials informed him that he had been targeted as part of an Iranian cyberattack and that some of his personal communications had been accessed. US News placed the prior breach in December 2024. BBC noted that it is not clear whether that 2024 breach is the same incident as Friday's Handala publication, or a separate operation.

Who Is Handala?

Handala takes its name from the Handala character in the political cartoons of Palestinian artist Naji al-Ali — a barefoot, spiky-haired child figure who became a symbol of Palestinian resistance. The hacker group first appeared in December 2023, shortly after the October 7 Hamas attacks on Israel, according to Wikipedia and WIRED.

Western cybersecurity researchers and US prosecutors have concluded that Handala is not what it presents itself as. The group calls itself a pro-Palestinian vigilante hacking collective. In reality, according to WIRED, it is widely believed within the cybersecurity industry to be a front for Iran's Ministry of Intelligence and Security (MOIS). US prosecutors have formally accused MOIS of operating the Handala group, per TechCrunch.

The group is tracked under multiple names by different cybersecurity firms and government agencies. GovInfoSecurity reported that researchers track it as Banished Kitten, Storm-0842, and Void Manticore, among other designations.

Between February 2024 and February 2025, the Handala Hack Team conducted at least 85 attacks, primarily against targets in Israel, according to a report by the International Institute for Counter-Terrorism (ICT). The group subsequently expanded its target set to include US entities, Iranian opposition media, and now senior US government officials.

WIRED described Handala as "the most prominent player in a wave of Iranian state cyber operators who pose as hacktivists while seeking to inflict noisy, often politically motivated chaos on adversaries." The report noted the group has "launched data-destroying and hack-and-leak operations for years against targets ranging from the Albanian government to Israeli businesses and political officials."

In summer 2025, Handala briefly shifted its focus to hack Telegram accounts of journalists at Iran International, the London-based opposition television channel, releasing extensive personal information about them, according to the Jerusalem Institute for Strategy and Security (JISS).

The DOJ Takedown That Didn't Hold

The Patel hack came eight days after the US government tried to disrupt Handala directly. On March 20, 2026, the Department of Justice seized four domains associated with the Handala Hack Team, Reuters reported. The DOJ stated that Iran's MOIS had been using the Handala websites to spread "terrorist propaganda," conduct "attempted psychological operations targeting adversaries of the regime," claim credit for hacking activity, and call for the killing of journalists and dissidents.

The DOJ's own press release cited a specific example: "the MOIS used the Handala-hack[.]to domain to claim credit for a March 2026 destructive malware attack against a US-based multinational medical technologies firm," referring to the breach of Stryker Corporation.

Handala restored its web presence within approximately one day of the DOJ seizure, according to Cyberwarzone. The group registered a new domain and resumed operations. It was on a newly registered domain — registered the same day as the Patel hack, BBC reported — that Handala published the FBI director's data.

The sequence illustrates a persistent limitation of domain seizures as a counter-hacking tool: they disrupt visibility temporarily but do not neutralize a group's operational capability.

The Stryker Attack: The First Major US Corporate Target

The Patel hack was Handala's most prominent US government target, but it was not the group's first major US strike since the Iran war began on February 28, 2026. On approximately March 11, 2026, Handala claimed responsibility for a destructive cyberattack against Stryker Corporation, a Michigan-based medical devices and services company.

WIRED reported that the attack "reportedly disabled as many as tens of thousands of computers and paralyzed much of the company's global operations." Handala said the attack was carried out "in retaliation for the brutal attack on the Minab school" — referencing a US Tomahawk missile strike that killed at least 165 civilians at a girls' school in Iran, according to NPR and UN reporting. Stryker confirmed it was aware of the attack but did not provide details on its scope.

In a separate operation on March 26, 2026 — the day before the Patel hack — Handala claimed to have published the personal data of dozens of Lockheed Martin employees stationed in the Middle East. Lockheed Martin said it was "aware of the reports" and had procedures in place "to mitigate cyber threats to our business," per Reuters.

Why Personal Email Is the Weak Link

The Patel hack fits a documented pattern. Personal email accounts — not government systems — have repeatedly been the entry point for politically damaging breaches of senior officials.

In 2016, Russian state hackers breached the personal Gmail account of Hillary Clinton campaign chairman John Podesta and published the contents through WikiLeaks, directly influencing a presidential election. In 2015, teenage hackers broke into then-CIA Director John Brennan's personal AOL account, a breach that drew attention to the security risks of using personal email accounts for work-adjacent communications, according to CNBC and Reuters reporting on the Patel case.

Cybersecurity experts cited by BBC explained why personal accounts remain attractive targets. Dave Schroeder, Director of National Security Initiatives at the University of Wisconsin–Madison, stated: "Personal accounts don't have the same level of protection and alerting as government systems, so these are often an attractive target for hackers." He added: "Handala consistently tries to gain this type of access because it serves their interests to claim hacks of prominent people and organizations."

Cynthia Kaiser, senior vice-president at Halcyon Ransomware Research Center and a former official at the FBI's Criminal, Cyber, Response, and Services Branch, told BBC she believed the Patel breach may have been a historical compromise recycled for current use. "The emails look very old and that makes me believe that this is likely a compromise that occurred from other groups in another time period, and is recycled today," Kaiser said.

If Kaiser's assessment is accurate, it would mean Iran did not necessarily hack Patel's account in March 2026, but rather acquired access to previously stolen credentials from another breach — and chose this moment, at war, to publish them for maximum effect.

The Strategic Logic: Embarrassment as a Weapon

Gil Messing, chief of staff at Israeli cybersecurity company Check Point, told Reuters and CNBC that the hack-and-leak operation against Patel was part of Iran's deliberate strategy. The goal, he said, was to embarrass US officials and "make them feel vulnerable." Of the Iranians, Messing said, they are "firing whatever they have."

That framing — cyber operations as a parallel front in a kinetic war — aligns with what WIRED documented about Handala's post-February 28 posture. Iran-linked hackers "who initially kept a low profile after the United States and Israel launched coordinated strikes against the Islamic Republic last month have increasingly boasted of their cyber operations as the conflict drags on," Reuters reported.

The practical intelligence value of the published Patel emails — which span 2010 to 2019, years before he became FBI Director — appears limited. The FBI's own statement that the data "involves no government information" suggests no classified material was exposed. The operation's purpose was demonstrative: to show that even the director of the premier domestic law enforcement and intelligence agency is not beyond reach, and to circulate that message through global media at a moment when the US government is under public scrutiny over the war.

Whether the $10 million FBI bounty will result in arrests or extraditions of Handala members — most of whom are believed to operate inside Iran — is an open question the FBI has not addressed publicly.

What Is Not Confirmed

The FBI confirmed that Patel's personal email was targeted but has not confirmed the full scope of what was accessed. Reuters was unable to independently authenticate the published emails. Google has not confirmed or denied the breach to any outlet. The specific timing of when the Gmail account was first compromised has not been established — Kaiser's assessment that it may be a recycled older breach has not been confirmed or denied by the FBI.

Whether any of the published emails contain information that could pose a security risk — even if not formally classified — has not been publicly assessed by any US government agency.