Just over a week after the Justice Department announced it had seized four Handala-linked domains and FBI Director Kash Patel pledged to "hunt down every actor" behind the group's death threats and cyberattacks, Handala published what it claimed were personal photographs, a résumé, and email correspondence pulled from Patel's personal Gmail account. The FBI confirmed the compromise, characterizing the stolen material as "historical in nature" with "no government information" involved.
The timing was not coincidental. According to researchers tracking the group, the domain Handala used to execute and publicize the hack had been registered on March 19 — the same day the DOJ announced its seizures. Handala's retaliation infrastructure was likely already staged before the DOJ press release went out.
Related:
George V. Hulme
George V. Hulme
George V. Hulme
No Observable Pause
The March 19 seizures — covering Handala-Hack.to, Handala-Redwanted.to, and two related domains used by Iran's Ministry of Intelligence and Security were framed in DOJ filings as disrupting a network used to claim credit for intrusions, leak stolen data, and post explicit death threats against journalists, dissidents, and Israeli government targets. Within hours, the familiar forfeiture banner replaced those pages. Less than a day later, Handala had fully reconstituted its web presence on new domains, issuing a statement dismissing the action as a "desperate attempt" to silence the group.
Following the FBI’s takedowns, there was no observable pause in its doxxing campaigns or its role as a front for MOIS-attributed activity.
By successfully targeting the person who publicly vowed to pursue the group, Handala sent a message about their reach and about the group's willingness to escalate against individuals rather than institutions when it wants to make a point. TechCrunch independently verified that at least some of the emails were genuine by examining mail header metadata. Handala also claimed in a separate post that it had breached an FBI network, providing no supporting evidence.
The cost of failing to disable the group is high. Before the takedown, Handala-Redwanted.to published names and personally identifiable information for roughly 190 people tied to the Israeli government or military, accompanied by language implying precise location awareness and imminent consequences. A separate domain within the seized cluster advertised a $250,000 bounty for the beheading of two individuals inside the United States. For targeted communities — journalists, dissidents, Israeli-Americans- the threat is physical.
The seizures also came less than two weeks after Handala's destructive attack on Stryker, where the group weaponized the company's own Microsoft Intune MDM deployment to wipe more than 200,000 employee devices across 79 countries and disrupt hospital services in Maryland. Taking a handful of leak sites offline in the aftermath of that operation looks more like a narrow legal response than anything that would affect the group's actual capabilities.
CISA's Shutdown Struggles Continue
The State Department's new Bureau of Emerging Threats, notified to Congress on March 23, is chartered to anticipate and counter the weaponization of AI, cyber, and space by Iran, China, Russia, and North Korea, and to include dedicated cybersecurity and critical infrastructure divisions. The White House's new National Cyber Strategy, released days later, is explicitly framed around resetting adversaries' risk calculus before they target U.S. networks. Both represent an acknowledgment that domain whack-a-mole is insufficient on its own.
The reality is that, in the midst of these digital battles, the primary day-to-day defender of U.S. critical infrastructure is operating at a fraction of its intended capacity. CISA Acting Director Nick Andersen testified on March 25 that roughly 60% of the agency's workforce is furloughed under the ongoing shutdown, and that the programs being "scaled back or paused" are specifically the early-warning systems that previously intercepted an Iranian attempt against Boston Children's Hospital. A Foundation for Defense of Democracies brief published March 27 tied that gap directly to recent healthcare-targeting attacks, and noted CISA was already about 40% understaffed in key mission areas before furloughs began. While Iran crossed 30 days of near-total internet blackout as of March 29, which continues to suppress some sophisticated state-directed operations from inside the country. However, remote cells, loosely coordinated through Telegram's Cyber Islamic Resistance umbrella, remain entirely unaffected by domestic connectivity.
Critical infrastructure operators need to know they can readily detect pre-positioning within their systems, management platforms, and SaaS control planes before harassment operations turn into outages.
