The Iranian government-linked hacking group, ‘Handala Hack Team’, announced Friday that it broke into FBI Director Kash Patel’s personal Gmail account — and to prove it, they published personal photos, his resume, and hundreds of emails on the internet.
The FBI confirmed the breach, calling the stolen material “historical in nature” and insisting no government information was compromised. The Department of Justice separately confirmed to Reuters that Patel’s emails had been compromised.
But the optics are brutal: the man in charge of the nation’s top law enforcement agency just got hacked by the same group he publicly vowed to “hunt down” barely a week ago.
What Was Leaked
The hackers posted more than 300 emails that appear to span from roughly 2010 to 2022.
Multiple news outlets reviewed the files, which include a mix of personal correspondence, travel receipts, family photos, tax-related messages, apartment search details, and what appears to be Patel’s personal resume — complete with his phone number and email address.
Among the more colorful materials: photos of Patel posing with a cigar, standing next to an antique convertible with Cuban license plates, and taking a mirror selfie with a bottle of rum.
Cybersecurity researcher Ron Fabela, who reviewed the files for CNN, noted that what Handala is calling a breach of “impenetrable” FBI systems is really just a compromised personal Gmail account. No current FBI operations were exposed in the leaked materials.
Multiple outlets confirmed the breach’s authenticity. TechCrunch verified at least some of the emails by checking information contained in the message headers, and the Gmail address matches one linked to Patel in previous data breaches catalogued by dark web intelligence firm District 4 Labs.
It’s Not the First Time
This isn’t even the first time Iranian hackers have gotten into Patel’s personal communications. In late 2024 — weeks before he was appointed to lead the FBI — U.S. officials informed him that he’d been targeted as part of a broader Iranian hacking campaign.
That effort also went after incoming Trump administration officials including Deputy Attorney General Todd Blanche, former interim U.S. Attorney Lindsey Halligan, and Donald Trump Jr.
Cybersecurity experts believe this latest leak may actually stem from that earlier compromise. Alex Orleans, head of threat intelligence at Sublime Security, told NBC News the material looks like something the hackers had been sitting on and chose to deploy now for maximum embarrassment.
“Iranian actors sit on all kinds of odds and ends for a rainy day,” Orleans said.
The Tit-for-Tat
The timing is deliberate. Just last week, the FBI and DOJ seized four websites connected to Handala as part of what prosecutors described as an effort to disrupt Iranian government hacking and “psychological operations.”
At the time, Patel himself issued a combative statement: “Iran thought they could hide behind fake websites and keyboard threats to terrorize Americans and silence dissidents.
This FBI will hunt down every actor behind these cowardly death threats and cyberattacks.”
Handala’s response was, essentially, to hack Patel personally.
“While the FBI proudly seized our domains and immediately announced a $10 million reward for the heads of Handala Hack members, we decided to respond to this ridiculous show in a way that will be remembered forever,” the group wrote on its website.
The State Department is now offering up to $10 million for information leading to the identification of the Handala hackers.
Who Is Handala?
Despite presenting itself as a pro-Palestinian hacktivist collective, the U.S. government says Handala is a front for Iran’s Ministry of Intelligence and Security (MOIS). The DOJ has formally linked the group to at least two other Iranian hacking personas — “Justice Homeland” and “Karma Below” — saying they’re all run by the same people.
The group first surfaced in late 2023 and has escalated dramatically since the U.S.-Israeli military campaign against Iran began on February 28, 2026.
Their recent resume includes a destructive cyberattack against medical technology giant Stryker on March 11, during which the hackers reportedly wiped tens of thousands of employee devices and disrupted manufacturing, ordering, and shipping operations.
That attack even delayed some surgeries due to backlogs in custom implant deliveries.
Handala said the Stryker attack was retaliation for a missile strike on an elementary school in the Iranian city of Minab, which Iranian state media reported killed at least 168 children.
The group has also claimed a hack of defense contractor Lockheed Martin, published the personal details of roughly 190 people allegedly connected to the Israeli Defense Forces, and sent death threats to Iranian dissidents living in the United States — including offering a $250,000 bounty for their killing.
The Bigger Picture
This hack fits into a broader pattern that U.S. intelligence agencies have been warning about since the war with Iran began.
A classified assessment reviewed by Reuters on March 2 predicted that Iran and its proxies would respond to the killing of Supreme Leader Ayatollah Ali Khamenei with low-level cyberattacks against American digital infrastructure.
The Patel breach is embarrassing but relatively low-stakes in terms of actual intelligence exposure. It’s the kind of hack-and-leak operation Iran has used before — most notably when Iranian hackers breached the Trump campaign in 2024 and exposed vice presidential vetting documents.
But there’s a deeper irony here. The FBI director who has positioned himself as a tough-on-Iran cyber warrior just became the most prominent American victim of the exact kind of attack he pledged to stop. And the group he boasted about shutting down was back online within hours, posting his personal photos for the world to see.
The domain seizures that Patel celebrated last week were always going to be a temporary inconvenience for a state-backed hacking operation. Cybersecurity experts at the Foundation for the Defense of Democracies said at the time that the seized websites held “minimal” value and could be replaced “within literally a matter of minutes or hours.”
They were right. And now the hackers have made that point in the most personal way possible.
