Pro-Iran Hackers Claim Breach of FBI Director Kash Patel's Personal Email

The Handala Hack Team framed their latest strike as payback: days after the FBI seized several of the group's domains in response to the Stryker attack, Handala went directly for the man who had announced those seizures. "While the FBI proudly seized our domains and immediately announced a $10 million reward for the heads of Handala Hack members," the group wrote on its website, "we decided to respond to this ridiculous show in a way that will be remembered forever."

Iran-linked hackers published the contents of FBI Director Kash Patel's personal email inbox on Friday, including photographs of Patel smoking cigars, riding in an antique convertible, and taking a mirror selfie with a large bottle of rum, alongside a sample of more than 300 emails that appear to show a mix of personal and work correspondence dating between 2010 and 2019.

In a statement, bureau spokesman Ben Williamson said the bureau had "taken all necessary steps to mitigate potential risks associated with this activity" and that the data involved was "historical in nature and involves no government information." The FBI also said it was offering up to $10 million in rewards for information relating to the Handala hackers.

The FBI's "historical and non-governmental" framing is technically accurate but obscures real residual risk. The personal Gmail address that Handala claims to have broken into matches the address linked to Patel in previous data breaches preserved by the dark web intelligence firm District 4 Labs. TechCrunch confirmed that at least some of the emails leaked by Handala were from Patel's alleged Gmail account by verifying information contained within the message headers. Cybersecurity experts note that even pre-tenure correspondence can be weaponized: names, travel patterns, and professional contacts buried in decade-old emails provide ready material for targeted phishing campaigns and social engineering against current colleagues and family.

Handala presents itself as a group of pro-Palestinian vigilante hackers but is considered by Western researchers to be one of several personas used by Iranian government cyberintelligence units. Palo Alto Networks links it to Iran's Ministry of Intelligence and Security, assessing it as one of several online personas maintained by Void Manticore, a MOIS-affiliated actor. Gil Messing, chief of staff at Israeli cybersecurity company Check Point, said the hack-and-leak operation against Patel was part of Iran's strategy to embarrass U.S. officials and "make them feel vulnerable." The Iranians, he said, are "firing whatever they have."

The Patel breach is the group's highest-profile move yet in a surge of operations since the U.S.-Israeli war against Iran began in February. Handala recently claimed the hack of Michigan-based medical devices provider Stryker on March 11, saying they had deleted a massive trove of company data. The group claimed that Stryker's offices in 79 countries were forced to shut down after it erased data from more than 200,000 systems, servers and mobile devices. In addition, Handala claimed to have published the personal data of dozens of Lockheed Martin employees stationed in the Middle East.

This is not the first time Iranian-backed hackers have accessed Patel's private information. In late 2024, just weeks before his appointment to lead the FBI, Patel was informed by officials that he had been targeted as part of an Iranian hack and some of his personal communications had been accessed. That earlier breach was part of a broader effort by foreign hackers from China and Iran targeting incoming Trump officials, including now Deputy Attorney General Todd Blanche and Donald Trump Jr.

The Patel breach came not long after the Justice Department seized four domains connected to Handala, as part of an ongoing effort to disrupt hacking and transnational repression schemes conducted by Iran's Ministry of Intelligence and Security. But domain seizures carry limits. Check Point's Messing described the dynamic as likely an ongoing game of whack-a-mole: "In the past they've managed to bypass takedown by bringing up new channels instead."

The tactic of breaching senior officials' personal accounts is not new: hackers famously broke into Hillary Clinton campaign chairman John Podesta's personal Gmail ahead of the 2016 election and published much of the data to WikiLeaks. What distinguishes the Patel case is the explicit retaliatory framing tied to an active armed conflict. U.S. intelligence officials have repeatedly warned about the possibility of Tehran-linked hackers retaliating for the U.S. and Israeli bombing of Iran that began last month.

The episode carries direct practical lessons for senior officials and ordinary users alike. Strong, unique passwords and hardware-based two-factor authentication on personal accounts are non-negotiable; Handala's apparent access to Patel's Gmail suggests those fundamentals may have been lacking. Keeping personal and government communications on entirely separate devices and accounts eliminates the cross-contamination that makes personal breaches professionally damaging. And older accounts that predate a sensitive role, the kind that accumulate for years and get forgotten, represent exactly the attack surface that adversaries exploit. According to the Justice Department, Handala is also known to threaten and harass Iranian dissidents and journalists living in the United States and abroad, a reminder that the hazard extends well beyond the officials whose names appear in the headlines.