The FBI later confirmed that Patel's email had indeed been hacked, but "no sensitive information was leaked."
In the content released by the hackers, every photo of Patel was marked with a red logo – a cartoon man holding a submachine gun, next to the English name "Handala" in capital letters.
Handala was once considered a Palestinian hacker group, but an investigation by an Israeli cybersecurity company found that it was one of the multiple network "vests" used by the Iranian government's cyber intelligence department, and the real "operator" behind it was Yahya Hosseini Panjaki, a senior official in the Iranian intelligence system.
Soon, Handala claimed to have breached Patel's personal email and warned: "This is just the beginning for us."
Hackers That Even the FBI Can’t Prevent
After successfully hacking into Patel's mailbox, the Handala organization issued a post mockingly: "Current FBI Director Kash Patel once proudly hung his name on the headquarters building, but now his name appears on the hacked list. The FBI's so-called 'impregnable' system was easily defeated by our team within a few hours."
The U.S. Department of Justice subsequently intervened, linking the Handala organization to the Iranian Ministry of National Security, and offered a $10 million reward for relevant clues.
Handala announced on its website that it had hacked into Patel's personal email. (Reuters)
In fact, since the war between the United States and Israel started on February 28 this year, the activities organized by Handala have become more frequent. They have published a list of about 190 people related to the Israel Defense Forces and the government, and also listed employee information of the American aerospace company Lockheed Martin's headquarters in the Middle East.
The largest recent attack launched by Handala occurred on March 11. The target of the attack was American medical equipment manufacturer Stryker, a Fortune 500 medical technology company.
· Stryker Corporate Headquarters. (Stryker official website)
At 3:30 a.m. that day, Stryker employees around the world found that their computers and mobile phones were paralyzed, all data had been wiped out, and only the Handala Organization's logo remained on the screen. "My wife also works at Stryker," one employee said. "The login pages of all three of her computers were painted with hacker logos. It's a shame." Another employee described the situation on site as "terrible" and that many people's mobile phone data had been wiped out. "I can't even open emails now, and my work and life are completely messed up."
The Handala group subsequently claimed that they had stolen 51TB of Stryker data and wiped data from 200,000 devices. The U.S. Department of Justice quickly confirmed the figure.
The attack had a huge impact on Stryker. In a filing with the U.S. Securities and Exchange Commission, Stryker admitted that the hacker attack caused "a total disruption to order processing, production and shipments" and halted global operations. The Wall Street Journal reported that Stryker’s stock price fell 5.3% after the attack.
Surprisingly, the technical means used by Handala are not complicated. A network security expert revealed to NBC that Handala used Microsoft's Intune management software to carry out the intrusion. Intune is a cloud software originally used to allow company IT departments to remotely manage mobile phones and computers. Hackers stole the administrator account and deleted data on all devices in batches.
After the attack on Stryker, the Handala organization claimed that it was to avenge the Minab Elementary School in Iran that was attacked in a US-Israeli air strike. On February 28, a girls' elementary school in the city of Minab in southern Iran was attacked in a US-Israeli air strike, killing about 170 people, most of whom were children.
On February 28, a schoolbag was photographed at the Minab Primary School in Iran that was attacked. (Xinhua News Agency/Mehr News Agency)
Handala wrote on his Telegram (encrypted social platform) channel: "For the children of Minab!"
"Whack-A-Mole"
Handala is a cartoon image created by Palestinian cartoonist Naji Ali in 1969: a boy who always turns his back to the world, symbolizing exile and resistance. More than fifty years later, a group of hackers chose to use "Handala" as their code name.
·The logo of the Handala organization. (US Cyber Express website)
In October 2023, a conflict broke out between Israel and the Palestinian resistance organization "Hamas" in the Gaza Strip. That month, a hacker group calling itself "Handala" made its first public appearance. At the time, it was seen as a pro-Palestinian hacker group.
However, with the recent escalation of the war between the United States, Israel and Iraq, Handala has repeatedly launched cyber attacks against American and Israeli targets. This caught the attention of Israeli cybersecurity company Check Point. They discovered that behind Handala was the Iranian hacker force "Void Griffin", which was affiliated with Iran's Ministry of Intelligence and National Security. This organization also has many aliases such as "Red Sandstorm", "Exiled Kitten" and "Homeland Justice".
The FBI later pointed out that the actual leader of Handala was Yahya Hosseini Panjaki, a senior official in the Iranian intelligence service.
Public information shows that Panjaki was born in Karaj, near Tehran, in 1975. He holds a doctorate in political science from the Islamic Free University in Tabriz and has published two papers in academic journals. He once single-handedly created the "Martyr Soleimani Force" and cooperated with Iran's Islamic Revolutionary Guard Corps to carry out missions around the world. As a result, he became a core and powerful figure in Iran's intelligence system.
In September 2024, the U.S. Department of the Treasury announced sanctions on 12 Iranian individuals, and Panjaki was among them. In May 2025, the FBI issued a wanted order, accusing Panjaki of using intelligence networks and cyber operations capabilities to plan terrorist activities around the world. However, according to the American non-profit media Lawfare, Panjaki was killed in a recent US-Israeli air strike on Iran.
·In May 2025, the FBI issued a wanted warrant for Panjaki. ("FBI Most Wanted" official X account)
But Panjaki's death did not stop Handala. Instead, it set off a climax of action for the organization.
Check Point discovered that Handala recently launched a bounty system called "Handala Red Notice" that uses cryptocurrency to pay bounties. Rewards for "level one high-value intelligence targets" such as Israeli Mossad and Military Intelligence Bureau officials can be as high as $50,000.
Handala's move was not a random retaliation, but a "benchmark" response to the US-Israeli assassination list.
Not long ago, Israeli Defense Minister Katz publicly announced that the Israeli military could strike "any senior Iranian official" without approval. At the same time, the U.S. State Department, through the "Rewards for Justice" program, publicly solicited information on 15 senior Iranian military and political officials, offering a reward of up to US$10 million. The list includes Iran's new Supreme Leader Mujtaba Khamenei, as well as the assassinated Supreme National Security Council Secretary Larijani, Intelligence Minister Khatib and others.
Currently, the FBI has seized two of Handala’s domain names, but Handala quickly relaunched its website under a new domain name. Check Point executive Gil Messing believes that this may just be a long-term game of "whack-a-mole". "In the past, they have always been able to bypass the ban and make a comeback by opening new domain names."
·Handala announced the launch of the new domain name on the Telegram channel. (U.S. AI cyber threat intelligence platform Cyber Vision)
"Asymmetric Warfare"
The United States and Israel have launched joint military operations so far, which have caused huge losses to Iran. According to statistics from the United Nations International Organization for Migration, so far, 82,000 civilian buildings have been damaged in Iran and 180,000 homes have been destroyed.
Faced with such losses, Iran chose to fight back in another way. When military equipment does not dominate, they turn cyberspace into a lever for leveraging strategic balance.
In February this year, the Tasnim News Agency, a subsidiary of Iran's Islamic Revolutionary Guard Corps, published a long article detailing its combat plan against the United States, with a focus on cyber warfare. The article said that Iran will eventually make the United States pay an unbearable price through an "asymmetric protracted war."
"Iran's 'asymmetric war' is an effective way to avoid direct confrontation with the United States and Israel and instead use its own advantages to use low-cost attacks to deter its opponents." Qian Feng, a researcher at the National Institute of Strategic Studies at Tsinghua University, told Global Reporter: "Although Handala's hacking of Patel's email did not steal military secrets, it could have the effect of humiliating the U.S. law enforcement and intelligence systems, thereby undermining the credibility of the Trump administration. The paralysis of the medical system may trigger domestic public opinion in the United States and amplify public anxiety about war."
But Iran's cyberwarfare goes beyond hacking. According to Tasnim News Agency, the plan also includes direct attacks on U.S. data centers in the Gulf region.
In early March 2026, Iran's Islamic Revolutionary Guard Corps used low-cost "Kamikaze" suicide drones to launch direct attacks on two data centers of Amazon Cloud Services in the United Arab Emirates, and also attacked a facility in Bahrain. Russia's TASS News Agency stated that this is the first attack specifically targeting commercial cloud computing infrastructure in modern warfare.
The attack caused the local banking system to collapse, the trading platform to paralyze, and the payment system to go down – financial institutions such as Emirates National Bank and First Bank of Abu Dhabi reported severe service disruptions. Industry experts estimate that data center failures cost approximately $6,000 per minute.
Cynthia Kaiser, a former senior FBI cyber officer, commented: "This is not just revenge, but Iran is telling the world that they can bring the war to the United States." Qian Feng believes: "Although the United States has a clear advantage on the conventional military battlefield, on this invisible front, it will fall into a long-term war of attrition that will become increasingly troublesome."
However, this has also raised concerns. Russia's TASS news agency commented: "For the international community, this incident is a warning that the globalized digital economy has exposed new weak links."
Producer: Zhang Pei
Editor: Sun Xia Li
