The Handala hacker group has emerged as one of the most aggressive cyber actors in the current geopolitical crisis, expanding operations far beyond Israel to threaten American infrastructure, U.S.-based activists, and Western financial systems in a wave of attacks that cybersecurity experts say is still accelerating.
Stay informed — bookmark this page and check back as the situation continues to develop.
Who Is Handala — and Why Is the U.S. Now a Target?
Handala, also known as the Handala Hack Team, first appeared as a pro-Palestinian hacktivist identity in late 2023. Security researchers have since linked it with high confidence to Void Manticore, a cyber unit affiliated with Iran’s Ministry of Intelligence and Security (MOIS). What began as a targeted campaign against Israeli institutions has since broadened dramatically into a global operation with direct implications for Americans living on U.S. soil.
This group is not simply a loose band of online activists. Cybersecurity professionals now describe Handala as a state-backed instrument operating with government resources and strategic direction. Its playbook blends data theft, destructive attacks, and high-volume propaganda into a single, fused operation designed to cause fear, reputational damage, and real-world harm simultaneously.
Stay ahead of evolving cyber threats — share this article with your network to help spread awareness.
What Triggered the Current Surge in Activity?
On February 28, 2026, the United States and Israel launched a joint military offensive against Iran, known as Operation Epic Fury in the U.S. and Operation Roaring Lion in Israel. Within hours of those strikes, Handala’s Telegram activity surged. The group launched a new site called “RedWanted” on March 1, listing names and summaries of individuals and organizations it says have supported Israel, publicly declaring it will “hunt” targets until “justice is served.”
Since the strikes, researchers have tracked roughly 60 hacktivist groups now active in connection with the conflict. Pro-Russian hacking collectives have also formed a loose coalition with Iran-aligned groups under the #OpIsrael campaign, with a shared focus on critical infrastructure attacks and mass data theft. This convergence of Russian and Iranian cyber interests has alarmed American security professionals who warn the partnership could produce more coordinated, harder-to-stop attacks than either actor could mount alone.
The Attacks: Banks, Hospitals, Airports, and American Citizens
The scale and variety of Handala’s recent operations make clear how dangerous this group has become. Members claimed to have breached multiple oil and gas organizations across Israel, Jordan, and Saudi Arabia, as well as an Israel-based research institute. The group also claimed a compromise of Jordan’s fuel systems and attacks on the Bank of Jordan, Sharjah Airport in Saudi Arabia, the Riyadh Bank website, and an airport in the United Arab Emirates.
Inside Israel, a massive cyberattack targeting the financial services sector peaked at approximately 1.2 million requests per second directed at Israeli websites — a deliberate attempt to overwhelm servers and bring banking systems offline. The Academy of the Hebrew Language, Israel’s official institution governing modern Hebrew usage, had its website hijacked and replaced with a threatening message bearing the Handala logo.
Handala has also produced and distributed deepfake propaganda videos featuring well-known Israeli political leaders, circulated widely across Arab social media networks. Disinformation is as central to the group’s strategy as any technical attack.
Perhaps most alarming for Americans: the group placed what amounted to a physical bounty on Iranian-American lawyer and activist Elica Le Bon and Iranian-Canadian politician Golsa Ghamari, claiming to have leaked their home addresses in Los Angeles and Ottawa to operatives on the ground. This marks a terrifying escalation from digital warfare into direct physical threats against people living in the United States and Canada.
How Handala Operates — The Tactics Driving the Threat
Understanding Handala’s methods is essential for any American business or individual that could find itself in the crosshairs. The group’s approach is described by researchers as pragmatic rather than technically novel — but it is highly effective because of how it combines multiple forms of pressure at once.
Handala gains initial access through phishing campaigns, social engineering tied to current events, exploitation of internet-facing web servers, and abuse of trusted supplier or vendor channels. It then stages payload delivery through commercial file-sharing services to avoid detection. Once inside a target network, the group steals data, sometimes deploys destructive wipers, and then rapidly publishes “proof” posts on Telegram and social media to amplify psychological impact and intimidate future targets.
The group has also been observed routing operations through Starlink IP ranges to probe externally facing applications for misconfigurations and weak credentials — a technique that makes attribution harder and defense more complicated.
Security researchers also note that Handala went nearly silent on its public blog between January and late February 2026. That kind of operational silence, in the group’s history, has consistently signaled active campaign execution rather than inactivity. In other words, the group was quietly preparing for what has since unfolded.
The Risk to U.S. Infrastructure Is Real
American cybersecurity agencies and private researchers are issuing urgent warnings. Iran’s broader cyber ecosystem supports three interconnected activities: espionage to gain footholds in critical networks, disruption through DDoS attacks and data wipers, and information operations that combine technical attacks with coordinated online amplification. All three of these activities are currently in motion.
Analysts have specifically warned that critical infrastructure in many essential U.S. sectors is owned and operated by smaller companies with limited cybersecurity budgets. These organizations are particularly vulnerable to opportunistic attacks that require no advanced tradecraft — just persistence and a willing target. The concern is that Iran and its proxies may achieve limited but highly visible successes against these operators, similar to what happened during attacks on small U.S. water systems back in 2023.
Iran-linked hackers including MuddyWater have already breached U.S. networks using new malware in the weeks since the conflict began. A U.S. airport, a U.S. bank, and a Canadian nonprofit were all identified among recent targets in active intrusion campaigns.
What American Organizations and Individuals Should Do Right Now
The threat picture is evolving daily, but there are concrete steps that organizations and individuals can take immediately. Cybersecurity professionals recommend minimizing internet-facing services wherever possible, applying patches for known vulnerabilities as quickly as possible, and staying alert for phishing campaigns tied to current events — a known Handala specialty.
Organizations should also review their business continuity plans specifically with ransomware and wiper malware in mind, since Handala and its affiliated actors have deployed destructive tools that can permanently destroy data even if a ransom is paid. Supplier and vendor relationships deserve particular scrutiny, since the group actively targets IT service providers to reach downstream victims.
For individuals — especially those with any public profile connected to Iranian or Israeli affairs — the threat of doxxing and direct physical intimidation is no longer theoretical. It is happening now, on American soil.
The situation surrounding the Handala hacker group is changing fast — drop your thoughts in the comments below and let us know if your organization has been affected or if you have seen this threat firsthand.
