Iran-Linked Handala Group Claims Breach of FBI Director Kash Patel's Personal Email

Iran-linked hackers from the group Handala Hack Team claimed responsibility on Friday for breaching the personal email account of FBI Director Kash Patel, publishing private photographs and correspondence online in what the group described as retaliation for recent U.S. actions against it. A Justice Department official confirmed to Reuters that Patel's emails were compromised, and an FBI spokesman, Ben Williamson, acknowledged the breach while noting that the stolen material predates Patel's 2025 appointment as bureau director. The leaked files, posted on a website bearing the Handala name, included personal photos showing Patel smoking cigars, posing beside a vintage convertible, and taking a selfie next to a bottle of liquor, as well as correspondence spanning from 2010 to 2019. Reuters reviewed a sample of the uploaded material and found it to be a mix of personal and work correspondence, though the agency was unable to immediately authenticate all of the emails. The Gmail address used in the breach matched an address previously associated with Patel in earlier data leaks, according to Reuters.

The Handala group has been one of the most active cyber actors since the start of the U.S.-Israel war against Iran, which began on February 28, 2026. The U.S. Justice Department seized several Handala domain names in the week prior to the breach, saying Iran's Ministry of Intelligence and Security had been using the websites to spread what it described as terrorist propaganda, conduct psychological operations, and call for the killing of journalists and dissidents. According to the BBC, Patel had also been targeted by Iranian-backed hackers in 2024, weeks before his appointment to lead the FBI.

FBI calls data 'historical,' State Department posts $10M reward The FBI moved quickly to limit the political damage from the disclosure, characterizing the exposed material as non-sensitive and outdated. „The F.B.I. is aware of malicious actors targeting Director Patel's personal email information, and we have taken all necessary steps to mitigate potential risks associated with this activity. The information in question is historical in nature and involves no government information.” — Ben Williamson via The New York Times A set of files posted on the website appeared to contain more than 300 messages from a Gmail account used by Patel, with the earliest dating from February 2010 and the most recent from February 2022, according to the New York Times. Most messages were from 2010 to 2014, when Patel worked as a federal public defender in Miami and applied for a position at the Justice Department's national security division. The Rewards for Justice program was activated in response, with the State Department offering 10 (million USD) — reward offered for identifying Handala Hack Team members for information leading to the identification of Handala members. The State Department posted the offer in Farsi on its official account, directly targeting potential informants within Iran's cyber networks, according to Ziare.com.

Hackers cite Iranian frigate sinking and domain seizures as motive Handala framed the attack as a direct response to two specific U.S. actions: the FBI's seizure of its domain names and the alleged torpedoing of the Iranian frigate Dena by a U.S. submarine in early March 2026 in international waters off Sri Lanka. The group's statement was dedicated to what it called the martyrs of the Dena, referencing more than 80 sailors reported killed in that incident, according to 20minutes citing AFP. On its website, Handala declared that the FBI's purportedly impenetrable systems had been compromised within hours. „This is the security that the US government boasts about?! This is the cyber giant that thinks threats and bribes can silence the voice of resistance?!” — Handala Hack Team via BBC The New York Times noted that the website hosting the leaked files was being served from a computer server located in Russia, and that the site's domain had been registered on March 19 by an entity appearing to identify itself as the Kingdom of Tonga. Cybersecurity tool VirusTotal flagged a risk that the website could implant malware on devices of visitors, the Times reported. The questions about the site's infrastructure raised uncertainty about who precisely carried out the intrusion, even as Handala claimed full credit.

Stryker 'wiper' attack adds to Handala's recent escalation The breach of Patel's account was not an isolated incident but part of a broader campaign of cyberattacks claimed by Handala in recent weeks. Earlier in March, the group claimed responsibility for a wiper attack on Stryker, a U.S. medical technology firm based in Michigan, in which the company's employee login page was defaced with a message claiming data had been erased. Handala stated on its now-suspended X account that it had wiped over 200,000 systems, servers, and mobile devices and extracted 50 terabytes of critical data from Stryker, according to the BBC. The group said the Stryker attack was retaliation for what it described as an Israeli strike on an Iranian girls' school at the start of the war that killed over 160 people, as well as for ongoing cyber operations against Iranian infrastructure. Cybersecurity researchers associate Handala with Iran's Ministry of Intelligence and Security, though the group describes itself publicly as a pro-Palestinian hacktivist collective. Tehran officially denied involvement in the Patel breach, according to 20minutes. Google, which owns Gmail, did not provide comment on the incident, Deutsche Welle reported.