Israeli firm says Iran ran fake hacktivist group behind LA Metro breach
A fake hacktivist group claimed LA Metro’s breach, but Gambit Security says the trail led back to Iran and at least 700 gigabytes of exposed files.

A fake hacktivist persona calling itself Ababil of Minab used the Los Angeles Metro breach to stage a digital show of force, but an Israeli cybersecurity firm says the trail points back to Iran and a server tied to a hacking operation previously linked to Tehran.
Gambit Security said it found at least 700 gigabytes of LA Metro emails, backups and other files exposed online. The firm traced the material to infrastructure tied to that operation, while LA Metro said it detected unauthorized activity around March 16, 2026 and limited employee access to internal administrative systems as it worked with law enforcement and cybersecurity specialists to restore control. The agency said bus and rail service kept running and that safety and security systems were not interrupted, even as internal recovery continued for weeks.

The breach forced parts of the transit agency’s network offline, turning a back-office intrusion into a national-security problem at home. About two weeks after the first signs of the attack, Ababil of Minab appeared online and claimed it had wiped a huge amount of data. On April 9, 2026, the group also claimed responsibility for the attack on LA Metro and posted a video it said showed movement through the transit network. Those destructive claims have not been independently verified.
Metro officials did not publicly speculate about attribution while the investigation continued, but the episode fed growing concern about pro-Iran cyber activity aimed at critical infrastructure. Transportation systems have become attractive targets because they combine public visibility with sprawling administrative networks that can hold sensitive employee records, operational backups and internal communications. In this case, the public kept riding while technicians fought to rebuild access behind the scenes, a reminder that resilience now depends on far more than keeping trains and buses moving.
The Los Angeles case also raised a larger question for other transit agencies: if a spoofed hacktivist group can surface after a breach, steal or expose vast stores of data and force a months-long cleanup, how many other public systems are just as exposed? For LA Metro, the disruption never reached the rails or the buses. It showed how a foreign cyber conflict can spill into the daily machinery of American city life, and how long it can take to unwind the damage once it does.
This article was produced by Prism’s automated news system from verified source data, official records, and press releases, then run through automated quality and moderation checks before publishing. The system is built and supervised by the people who set the standards it runs under. Read our full AI policy.
Did this article answer your question?

