Iran-Linked Handala Hackers Breach FBI Director's Personal Gmail
Iran-linked hackers operating as the Handala Hack Team claimed they breached FBI Director Kash Patel’s personal Gmail account and published excerpts from the stolen material online. Reporting says the leak totaled about 800 MB and included personal photographs, a purported resume, and hundreds of emails, with exposed correspondence spanning roughly 2010 to 2019 and appearing to contain both personal and work-related messages. A Justice Department official confirmed Patel’s email account had been compromised and said the leaked material appeared authentic, though the emails themselves were not independently verified.
Handala framed the intrusion as an embarrassment for U.S. security leadership and warned that if the FBI director could be compromised, other personnel could be targeted as well. Western cybersecurity researchers have assessed Handala as a pro-Palestinian hacktivist persona linked to Iranian government cyberintelligence units, and the breach follows other activity attributed to the group, including a claimed attack on medical technology company Stryker. The incident also comes after U.S. actions against Handala, including domain seizures and a $10 million reward offer tied to identifying members of the group.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
State Department reissues $10 million reward naming Handala
On 2026-03-30, the U.S. State Department reissued a $10 million reward for information on Iranian cyber actors, specifically naming Handala and the Iranian IT company Parsian Afzar Rayan Borna. The move followed the Patel email intrusion and reflected continued U.S. efforts to identify and disrupt actors linked to Iran's MOIS.
Report ties Handala Hack Team to Iran's MOIS
The Hacker News reported that the Handala Hack Team persona is linked to Iran’s Ministry of Intelligence and Security (MOIS), framing the group as a disruptive actor focused on psychological impact as well as destructive operations. The attribution connected the Patel email breach and prior Stryker wiper activity to a broader Iran-aligned cyber campaign.
FBI says Patel email leak was historical and mitigation steps were taken
The FBI confirmed the theft of Director Kash Patel's personal emails, said the exposed material was historical and contained no government information, and stated that mitigation steps had been taken. The statement marked a formal FBI response to the incident beyond the earlier Justice Department confirmation.
Justice Department confirms Patel email compromise appears authentic
A Justice Department official confirmed that Patel's personal email account had been compromised and said the leaked material appeared authentic. Reuters reviewed exposed material but could not independently verify the emails themselves.
Handala publishes excerpts and data from Patel's account online
After the breach, Handala publicly released excerpts from the stolen material and reportedly leaked about 800 megabytes of data online. The group framed the intrusion as an embarrassment for U.S. security leadership.
Handala breaches Kash Patel's personal Gmail account
Iran-linked hackers operating as the Handala Hack Team compromised FBI Director Kash Patel's personal Gmail account. The exposed correspondence reportedly spanned mainly 2010 to 2019 and included personal photographs, a purported resume, and work-related emails.
FBI seizes four Handala-linked domains and offers $10 million reward
On 2026-03-19, the FBI reportedly seized four domains linked to the Handala persona and the U.S. offered a $10 million reward for information identifying the group's members. The later Patel account intrusion was framed in the reference as retaliation for this law enforcement action.
Attack on Stryker used Intune admin access to remotely wipe devices
On 2026-03-11, attackers allegedly used compromised Microsoft Intune Global Administrator credentials and legitimate remote wipe functionality in an attack on Stryker, rendering tens of thousands of devices inoperable across 79 countries. The incident was presented as evidence of a shift toward identity compromise and abuse of legitimate administrative tools rather than custom malware.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
15 references tracked. Mallory keeps watching after this page renders.
Inside Handala’s Hack on the FBI Director
socradar.io
Open sourceState Department reissues $10 million reward for info on Iranian hackers | The Record from Recorded Future News
therecord.media
Open sourceFBI confirms hack of Director Patel's personal email inbox
bleepingcomputer.com
Open sourceIran-Linked Hackers Breach FBI Director’s Personal Email, Hit Stryker With Wiper Attack
thehackernews.com
Open sourceIran-backed hackers breach FBI director Kash Patel's emails - BBC News
bbc.com
Open sourceThe Personal Perimeter: How Officials Become Targets - Center for Cyber Diplomacy and International Security
cybercenter.space
Open sourceIran-linked hackers breach FBI director's personal email, publish excerpts online - The Korea Times
koreatimes.co.kr
Open sourceFBI confirms theft of director’s personal emails by Iran-linked hacking group | The Record from Recorded Future News
therecord.media
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Iran-Linked Handala Leaks FBI Director Kash Patel’s Personal Gmail
Iran-linked hackers operating as **Handala** claimed they breached FBI Director Kash Patel’s personal Gmail account and published personal photographs, documents, and a sample of more than 300 emails online. Multiple reports said the exposed messages dated from roughly 2010 to 2019, and people familiar with the leak, along with technical review of some email signatures, indicated at least part of the material appeared authentic. Distributed Denial of Secrets was reported to have published what it said was Patel’s email cache, while some leaked messages reportedly showed communications involving a former Justice Department email account. The FBI confirmed that Patel’s personal email had been targeted, said it took mitigation steps, and maintained that the exposed material was historical and did not include government or classified information or indicate a compromise of FBI networks. Handala said the intrusion was retaliation for U.S. actions against the group, including FBI seizures of domains tied to its operations and a **$10 million** State Department reward offer for information on its members. The incident fits a broader pattern of Iranian-aligned **hack-and-leak** activity that has also included claimed operations against **Stryker**, **Lockheed Martin**, and other U.S.-linked targets.
Jun 8, 2026
Handala Claims Hack of FBI Director Kash Patel’s Personal Account
A pro-Iranian hacking group calling itself **Handala** claimed responsibility for compromising a personal account belonging to FBI Director **Kash Patel** and posted what appeared to be old personal photographs, a résumé, and other personal documents online. The FBI said malicious actors targeted Patel’s personal email information and that it had taken mitigation steps, adding that the exposed material was historical and did not include government information. Reporting said Patel had previously been notified by the FBI in December 2024 that he was a target of an Iranian hacking operation before he became FBI director. U.S. authorities have described Handala as a pro-Iranian, pro-Palestinian proxy actor linked to prior operations against U.S. officials, and the government is offering up to **$10 million** for information that helps identify the group’s members; the group has also recently claimed responsibility for disrupting **Stryker** systems.
May 25, 2026
Iran-Linked Handala Used VPN Access, RDP, NetBird, and Wipers in Destructive Campaign
Researchers linked **Handala Hack** to Iran’s Ministry of Intelligence and Security as part of the broader **Void Manticore** cluster, describing a coordinated campaign that targeted organizations in Israel, Albania, and the United States with disruptive and destructive intrusions. Reported victims and incidents included attacks on **Stryker**, compromises affecting kindergarten emergency alert systems, and a personal Gmail breach publicly attributed to FBI Director Kash Patel that the FBI said involved historical, non-classified data. U.S. authorities also seized four domains allegedly used by the operation to leak stolen data, publicize attacks, and support influence activity. Investigators said the intrusions commonly began with **compromised VPN credentials**, followed by hands-on-keyboard movement over **RDP**, use of **NetBird** for tunneling, credential theft, Active Directory reconnaissance, and staged malware delivery. The destructive phase combined multiple methods at once, including a custom **Handala Wiper**, **PowerShell-based wiping**, **VeraCrypt** encryption, manual deletion of files and virtual machines, and tooling tied to webshell persistence, Telegram-linked data exfiltration, driver-assisted disk access, and attempts to disable endpoint defenses. Analysts also tied Handala to other MOIS personas including **Homeland Justice** and **Karma**, saying the fronts shared infrastructure, domain patterns, Telegram-based communications, and overlapping tradecraft in a single coordinated state-backed campaign.
Jun 8, 2026