Iran-Linked Group Handala Claims Breach of FBI Director Kash Patel's Personal Email

An Iran-linked hacking group claimed responsibility Friday for breaching the personal email account of FBI Director Kash Patel, publishing photographs of the director and a purported copy of his resume online, with a Justice Department official confirming the breach to Reuters. The group, known as Handala Hack Team, posted the materials on its website and declared that Patel "will now find his name among the list of successfully hacked victims." A sample of the leaked materials reviewed by Reuters appeared to contain a mix of personal and professional correspondence spanning the period from 2010 to 2019. TechCrunch independently verified the authenticity of at least some of the emails by examining message headers and cryptographic signatures, finding that signatures matched the email content and strongly suggested the messages were genuine. In some cases, Patel appeared to have forwarded messages from his FBI email address to his personal Gmail account, and TechCrunch reported those emails also appeared authentic. The FBI did not immediately respond to requests for comment.

Hack framed as retaliation for FBI domain seizures Handala described the breach as direct retaliation for an FBI operation the previous week in which the bureau seized several of the group's domains. The domain seizures followed Handala's claimed responsibility for a destructive cyberattack against Stryker, a major American medical technology company, which the group said wiped tens of thousands of employee devices. After the FBI seized its websites, Handala quickly moved to new domains and continued operating. „While the FBI proudly seized our domains and immediately announced a $10 million reward for the heads of Handala hack members, we decided to respond to this ridiculous show in a way that will be remembered forever” — Handala Hack Team via Axios U.S. prosecutors have formally accused Iran's Ministry of Intelligence and Security of operating the Handala group. The FBI seized a handful of Handala websites following the Stryker attack, though those sites quickly reappeared on new domains.

Group's leader reportedly killed in U.S.-Israeli strikes According to cybersecurity firm Check Point Research, Handala is associated with the counterterrorism division of Iran's Ministry of Intelligence and Security, making it one of several proxy groups Iran uses to conduct cyber operations while maintaining plausible deniability. The group's leader, Seyed Yahya Hosseini Panjaki, is believed to have been killed during U.S.-Israeli strikes in early March 2026, according to reporting cited by 7sur7. Handala has been active since 2023 and has previously carried out multiple hacking operations targeting entities in Israel, including publishing personal details of individuals allegedly affiliated with the Israeli Defense Forces and local defense contractors. Axios noted that groups like Handala are known to make exaggerated claims about the scale of their intrusions and the volume of data stolen, and the full contents of a zip file the group claimed contained additional stolen documents had not been independently verified. Experts cited by Axios warned that the Iranian government is likely to pursue both destructive cyberattacks against critical infrastructure and online influence operations designed to sow confusion during the ongoing U.S.-Israeli war against Iran.

The U.S.-Israeli military campaign against Iran, known as Operation Epic Fury, began on February 28, 2026, and resulted in the death of Supreme Leader Ali Khamenei in the initial strikes. Iran's Ministry of Intelligence and Security has a documented history of using proxy hacker groups to conduct cyber operations against adversaries, a structure that makes formal attribution to the Iranian state more difficult. Handala first emerged in 2023 and built a record of targeting Israeli institutions before expanding its operations to include U.S. entities following the outbreak of the current conflict. According to cybersecurity company Sophos, the group was first observed in 2023 and operates as an Iranian hacktivist persona.

Axios calls breach potentially the war's most significant cyberattack Axios described the incident as potentially the most significant cyberattack of the ongoing conflict between the United States, Israel, and Iran, noting it could place uncomfortable scrutiny on Patel. The Justice Department official who confirmed the breach to Reuters said the published material appeared authentic but declined to provide further details. Handala also posted photographs of a visibly younger Patel standing next to cars bearing Cuban license plates and smoking cigars, alongside the purported resume snippet. TechCrunch sent messages to Patel's exposed Gmail address and a phone number found in the alleged resume but received no immediate response. The incident underscores warnings from cybersecurity experts that Iran-linked groups would intensify both destructive and intelligence-gathering cyber operations following the outbreak of hostilities in late February. 10 (million USD) — reward announced by FBI for information on Handala members