Iran-Linked Handala Leaks FBI Director Kash Patel’s Personal Gmail
Iran-linked hackers operating as Handala claimed they breached FBI Director Kash Patel’s personal Gmail account and published personal photographs, documents, and a sample of more than 300 emails online. Multiple reports said the exposed messages dated from roughly 2010 to 2019, and people familiar with the leak, along with technical review of some email signatures, indicated at least part of the material appeared authentic. Distributed Denial of Secrets was reported to have published what it said was Patel’s email cache, while some leaked messages reportedly showed communications involving a former Justice Department email account.
The FBI confirmed that Patel’s personal email had been targeted, said it took mitigation steps, and maintained that the exposed material was historical and did not include government or classified information or indicate a compromise of FBI networks. Handala said the intrusion was retaliation for U.S. actions against the group, including FBI seizures of domains tied to its operations and a $10 million State Department reward offer for information on its members. The incident fits a broader pattern of Iranian-aligned hack-and-leak activity that has also included claimed operations against Stryker, Lockheed Martin, and other U.S.-linked targets.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Technical verification supports authenticity of some leaked emails
TechCrunch reporting cited by Techdirt said cryptographic signature checks strongly suggested several leaked emails were authentic. Some verified messages reportedly showed Patel forwarding or sending emails from a former Justice Department account to his Gmail in 2014.
Distributed Denial of Secrets publishes alleged Patel email cache
Distributed Denial of Secrets published what was described as Kash Patel's email cache after Handala's claimed compromise. This made the alleged contents of the personal inbox more broadly accessible.
Report says leaked Patel emails appear authentic
A person familiar with the matter told Nextgov that the leaked materials appeared authentic, and many posted images showed Patel in a personal capacity before he became FBI director. This added early corroboration to Handala's claims.
Handala claims breach of Kash Patel's personal Gmail and leaks materials
The Iran-linked Handala group claimed it compromised FBI Director Kash Patel's personal Gmail account and published emails, photographs, and other materials online. Multiple reports say the leak included a sample from more than 300 emails and was framed by the group as retaliation for U.S. actions against it.
FBI confirms Patel's email was targeted and begins mitigation
The FBI said it was aware of malicious actors targeting Patel's personal email account and had taken mitigation steps. The bureau stated the exposed material was historical and did not include government information, while disputing broader claims that FBI systems were affected.
U.S. authorities seize four Handala-linked domains
U.S. authorities seized four domains tied to Handala's operations. Later reporting says the group described its intrusion into Kash Patel's personal email as retaliation for this action.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
Iran-Linked Hackers Breach FBI Director Kash Patel’s Email, Leak Messages Online
techrepublic.com
Open sourceFBI Director Kash Patel’s Personal Email Account Apparently Breached By Iranian Hackers | Techdirt
techdirt.com
Open sourceteiss - News - Hackers claim breach of FBI director Kash Patel’s personal email account
teiss.co.uk
Open sourceFBI confirms Director Kash Patel's email hack claimed by Iran-linked group | Middle East Eye
middleeasteye.net
Open sourceIranian hackers, Handala, claim to compromise FBI Director Kash Patel’s personal data | CyberScoop
cyberscoop.com
Open sourcePro-Iran hackers claim breach of FBI director’s email - Nextgov/FCW
nextgov.com
Open sourceFBI director’s personal email, photos and documents leaked by Iran-linked hackers | US news | The Guardian
theguardian.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Iran-Linked Handala Hackers Breach FBI Director's Personal Gmail
Iran-linked hackers operating as the **Handala Hack Team** claimed they breached FBI Director Kash Patel’s personal Gmail account and published excerpts from the stolen material online. Reporting says the leak totaled about **800 MB** and included personal photographs, a purported resume, and hundreds of emails, with exposed correspondence spanning roughly **2010 to 2019** and appearing to contain both personal and work-related messages. A Justice Department official confirmed Patel’s email account had been compromised and said the leaked material appeared authentic, though the emails themselves were not independently verified. Handala framed the intrusion as an embarrassment for U.S. security leadership and warned that if the FBI director could be compromised, other personnel could be targeted as well. Western cybersecurity researchers have assessed Handala as a pro-Palestinian hacktivist persona linked to **Iranian government cyberintelligence units**, and the breach follows other activity attributed to the group, including a claimed attack on medical technology company **Stryker**. The incident also comes after U.S. actions against Handala, including domain seizures and a **$10 million** reward offer tied to identifying members of the group.
Mar 30, 2026
Handala Claims Hack of FBI Director Kash Patel’s Personal Account
A pro-Iranian hacking group calling itself **Handala** claimed responsibility for compromising a personal account belonging to FBI Director **Kash Patel** and posted what appeared to be old personal photographs, a résumé, and other personal documents online. The FBI said malicious actors targeted Patel’s personal email information and that it had taken mitigation steps, adding that the exposed material was historical and did not include government information. Reporting said Patel had previously been notified by the FBI in December 2024 that he was a target of an Iranian hacking operation before he became FBI director. U.S. authorities have described Handala as a pro-Iranian, pro-Palestinian proxy actor linked to prior operations against U.S. officials, and the government is offering up to **$10 million** for information that helps identify the group’s members; the group has also recently claimed responsibility for disrupting **Stryker** systems.
May 25, 2026
Iran-Linked Handala Used VPN Access, RDP, NetBird, and Wipers in Destructive Campaign
Researchers linked **Handala Hack** to Iran’s Ministry of Intelligence and Security as part of the broader **Void Manticore** cluster, describing a coordinated campaign that targeted organizations in Israel, Albania, and the United States with disruptive and destructive intrusions. Reported victims and incidents included attacks on **Stryker**, compromises affecting kindergarten emergency alert systems, and a personal Gmail breach publicly attributed to FBI Director Kash Patel that the FBI said involved historical, non-classified data. U.S. authorities also seized four domains allegedly used by the operation to leak stolen data, publicize attacks, and support influence activity. Investigators said the intrusions commonly began with **compromised VPN credentials**, followed by hands-on-keyboard movement over **RDP**, use of **NetBird** for tunneling, credential theft, Active Directory reconnaissance, and staged malware delivery. The destructive phase combined multiple methods at once, including a custom **Handala Wiper**, **PowerShell-based wiping**, **VeraCrypt** encryption, manual deletion of files and virtual machines, and tooling tied to webshell persistence, Telegram-linked data exfiltration, driver-assisted disk access, and attempts to disable endpoint defenses. Analysts also tied Handala to other MOIS personas including **Homeland Justice** and **Karma**, saying the fronts shared infrastructure, domain patterns, Telegram-based communications, and overlapping tradecraft in a single coordinated state-backed campaign.
Jun 8, 2026