Handala Claims Breach of Mossad-Linked Financial and Research Communications
The main event is Handala Hack's claimed compromise of Mossad-linked personnel and systems, including an alleged leak of more than 50,000 confidential emails and documents tied to Ilan Steiner, described as a former Mossad budget director and current CFO of Israel’s National Security Institute. The post frames the material as exposing financial flows, operational planning, research activity, and support networks allegedly connected to Israeli intelligence operations across the region. This is not fluff: despite the propagandistic tone and lack of independent verification in the source material, it is a concrete claim of a cyber intrusion and data leak with potential intelligence and security implications.
A second Handala post appears related to the same broader campaign, naming Mir Vahid Hassantabar ("Vahid Online") and his brother Navid Hassantabar as alleged Mossad-linked actors and claiming the group identified the team's geographic location and prior involvement in cyber sabotage against an Iranian bank. That reference is relevant because it fits the same Handala operation targeting alleged Israeli or anti-Iranian networks, though it is more of a doxing/accusation post than a direct technical disclosure. The Substack article about British and American information operations in Libya is not about the same incident and should be excluded as a separate historical intelligence story.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Handala-linked claim alleges 100,000-email breach of Deborah Oppenheimer
Reporting on 2026-03-20 said a group calling itself Hanzala/Handala claimed it compromised the email account of Deborah Oppenheimer, described as a former Mossad deputy director of external relations and current international affairs director at an Israeli security institute. The group alleged it obtained more than 100,000 confidential or sensitive emails and made them available for public download.
Handala claims leak of 50,000 emails from Ilan Steiner account
Handala Hack Team claimed it breached the email systems and confidential data of Ilan Steiner, described as a former Mossad budget director and current CFO of Israel’s National Security Institute. The group said it released more than 50,000 emails and documents allegedly tied to Mossad-related research, planning, and financial support activities.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Cyberattack targets Mossad-linked official, documents allegedly leaked | Middle East Eye
middleeasteye.net
Open sourceRansomware Listing: Who is VahidOnline?
handala-hack.to
Open sourceMossad’s Secret Treasury Exposed: 50,000 Confidential Emails Leaked - Handala Hack Team
handala-hack.to
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Iran-Linked Handala Brand Expands From Cyber Operations to Physical Threats
Recorded Future assesses that Iran’s Ministry of Intelligence (**MOIS**) is using the **Handala** name as a reusable operational brand spanning cyber, influence, espionage, and now physical threat activity. The report links **Handala Hack Team**, **Handala Popular Resistance Front (HPRF)**, **VIPEmployment**, **MOISIRAN**, and **Brave Israel** to a broader MOIS-associated cluster tied to **Void Manticore**, which has historically targeted Israel, Iranian opposition groups, and increasingly the United States. Handala Hack Team has been associated with hack-and-leak campaigns, wiper activity, and psychologically oriented ransomware operations. Newer Handala-linked personas are described as focusing on proxy recruitment, intimidation, surveillance, and claims of real-world attacks inside Israel. Recorded Future said Telegram channels and bots, including **VIPEmployment**, were used to solicit recruits for espionage, sabotage, and attacks against U.S. and Israeli interests, while **HPRF** claimed responsibility for a vehicle arson attack in Israel in April 2026, marking the first overt physical attack publicly claimed under the Handala banner. The firm warned that MOIS is likely to continue blending cyber and physical operations against Israeli and U.S. targets, viewing such activity as remaining below the threshold of armed conflict.
Jun 2, 2026
Iran-Linked Handala Used VPN Access, RDP, NetBird, and Wipers in Destructive Campaign
Researchers linked **Handala Hack** to Iran’s Ministry of Intelligence and Security as part of the broader **Void Manticore** cluster, describing a coordinated campaign that targeted organizations in Israel, Albania, and the United States with disruptive and destructive intrusions. Reported victims and incidents included attacks on **Stryker**, compromises affecting kindergarten emergency alert systems, and a personal Gmail breach publicly attributed to FBI Director Kash Patel that the FBI said involved historical, non-classified data. U.S. authorities also seized four domains allegedly used by the operation to leak stolen data, publicize attacks, and support influence activity. Investigators said the intrusions commonly began with **compromised VPN credentials**, followed by hands-on-keyboard movement over **RDP**, use of **NetBird** for tunneling, credential theft, Active Directory reconnaissance, and staged malware delivery. The destructive phase combined multiple methods at once, including a custom **Handala Wiper**, **PowerShell-based wiping**, **VeraCrypt** encryption, manual deletion of files and virtual machines, and tooling tied to webshell persistence, Telegram-linked data exfiltration, driver-assisted disk access, and attempts to disable endpoint defenses. Analysts also tied Handala to other MOIS personas including **Homeland Justice** and **Karma**, saying the fronts shared infrastructure, domain patterns, Telegram-based communications, and overlapping tradecraft in a single coordinated state-backed campaign.
Jun 8, 2026
Handala’s Israeli Radar Disruption Claim Appears Unverified
The Iranian-linked **Handala** group claimed it had disrupted Israeli radar systems and placed the Kfar Yona municipality under a “cyber siege” amid renewed Iran-Israel hostilities. Reporting on the incident found that the evidence released by the group does **not** substantiate a radar intrusion: the screenshots and access shown appear to match a **Tadiran Telecom Aeonix** IVR/VoIP administration panel, suggesting compromise of a municipal or organizational phone system rather than military radar infrastructure. Researchers said the operation fits a broader pattern in which cyber activity is used to amplify battlefield messaging during escalating regional conflict involving Hezbollah fire, Israeli strikes in Beirut, IRGC missile launches, and Israeli retaliatory strikes on Tehran, Tabriz, and Isfahan. While the specific radar-disruption claim bears the hallmarks of propaganda and remains uncorroborated by independent evidence or official acknowledgment, Handala is described as a real state-affiliated threat actor with documented capabilities including credential theft, abuse of legitimate enterprise tools, wiper malware, and hack-and-leak operations, raising the likelihood of further disruptive attacks and inflated claims.
Jun 10, 2026