Handala published over 300 emails and photographs from FBI Director Kash Patel's Gmail on March 27, 2026. The Iran-linked hacking group released the cache eight days after the DOJ seized four of its domains. The State Department had simultaneously offered a $10 million bounty on the group's members.
The FBI confirmed the breach and stated it had "taken all necessary steps to mitigate potential risks." The bureau added that the leaked data "is historical in nature and involves no government information."
Leaked photographs show Patel with antique cars bearing Cuban licence plates and smoking cigars. Most of the 300+ emails date from 2010 to 2012. The most recent item is a 2022 plane ticket receipt, according to NBC News. Flight receipts, family correspondence, travel bookings.
An independent cybersecurity researcher reviewed the files with CNN and described content spanning 2011 to 2022.
Reuters could not authenticate the emails independently. District 4 Labs, a dark web intelligence firm, confirmed that the Gmail account in the leak matched Patel's in prior breach records. CNN verified the photographs through a source familiar with the incident. TechCrunch checked message headers and confirmed some emails.
NBC News spotted a 2014 email with an OPSEC detail. Patel, then in the DOJ's National Security Division, sent himself a link from his DOJ account. He CC'd both his FBI inbox and personal email account. Federal policy now prohibits cross-linking official and personal accounts.
File metadata shows the data was exfiltrated before the current conflict. Folders were last modified on May 21, 2025, per NBC News.
While the FBI proudly seized our domains and immediately announced a $10 million reward for the heads of Handala hack members, we decided to respond to this ridiculous show in a way that will be remembered forever.
— Handala Hack Team
On March 19, the DOJ took down four MOIS-linked domains. The sites were Justicehomeland[.]org, Handala-Hack[.]to, Karmabelow80[.]org, and Handala-Redwanted[.]to. Patel vowed that day to "hunt down every actor behind these cowardly death threats and cyberattacks."
Handala cited the March 4 sinking of Iranian frigate IRIS Dena. The US submarine attack killed 87 sailors.
The Iranians are firing whatever they have.
— Gil Messing, chief of staff, Check Point, describing the operation as part of Iran's strategy to embarrass US officials and make them feel vulnerable
Patel was targeted before. In late 2024, officials told him Iranian hackers had accessed some of his communications. That breach was part of a broader campaign by hackers from China and Iran targeting incoming Trump administration figures. Deputy Attorney General Todd Blanche, Lindsey Halligan, and Donald Trump Jr. were among those hit, CNN reported.
Handala's attacks have escalated since US-Iran hostilities began in February 2026. On March 11, the group hit Stryker, a Michigan medical technology firm. Handala claimed 200,000+ devices wiped. Independent reporting placed the count at roughly 80,000 Windows machines compromised via Microsoft Intune.
DOJ court documents confirm hospital impact from the Stryker attack. The attack "had a direct impact on emergency medical services and hospitals within Maryland." Groups like Handala are known to exaggerate operational scale, according to Axios.
Handala published personal data of dozens of Lockheed Martin employees the week of March 24. Lockheed stated it had policies "to mitigate cyber threats to our business."
The DOJ's 40-page seizure warrant names Handala as a MOIS moniker. The group has run hacking campaigns and intimidation operations targeting Israel and the US since 2022. Seized websites hosted 851 GB of data allegedly stolen from the Sanzer Hasidic Jewish community. Israeli officials claimed last week that several Iranian leaders behind the group had been killed in airstrikes, per Iran International.
Patel's Gmail was likely breached in 2024 or early 2025 and held until the FBI publicly committed against Handala. The 2014 practice of CC'ing federal and personal addresses created an attack surface that persisted long after Patel moved to a sensitive role. The breach of the FBI Director's personal account by the same group the bureau had targeted with domain seizures and a bounty is an operational embarrassment regardless of the content's sensitivity.
Handala restored operations on new domains within hours of the March 19 seizure. The group spent the following week issuing threats to US and Israeli officials. The FBI reiterated that the $10 million reward remains active, noting Handala has "frequently targeted U.S. government officials."
Have a story? Become a contributor.
We work with independent researchers and cybersecurity professionals. Send us a tip or submit your article for editorial review.
