High Severity Cyberattack International

Iran-Linked Handala Group Breaches FBI Director Kash Patel’s Personal Email, Publishes Stolen Files in Retaliation for DOJ Domain Seizures

📅 2026-03-27

On March 27, 2026, Handala — the Iran-linked hacktivist group assessed by Palo Alto Networks and the DOJ to be a persona operated by Iran's Ministry of Intelligence and Security (MOIS) — publicly claimed to have breached the personal Gmail account of FBI Director Kash Patel, publishing more than 300 stolen emails, photographs, and documents. The FBI confirmed the breach in a public statement, noting that "the information in question is historical in nature and involves no government information." The Department of State's Rewards for Justice program simultaneously announced a $10 million reward for information leading to identification of Handala members.

The published materials consisted primarily of personal correspondence, travel receipts, apartment search records, and family photos spanning roughly 2011 to 2022 — predating Patel's appointment to lead the FBI. No current operational or classified FBI information was contained in the dump. The FBI characterized the group's portrayal of a breach of "impenetrable FBI systems" as a distortion, clarifying that no government networks were accessed.

The attack was framed by Handala as direct retaliation for a March 19, 2026 DOJ and FBI operation that seized four internet domains affiliated with Handala and Iran's Ministry of Intelligence and Security, which the Justice Department characterized as infrastructure for "hack-and-leak" psychological operations and cyberattacks against U.S. government officials and Iranian dissidents abroad. In a Telegram post prior to the leak, Handala warned that "the FBI shouldn't have started a confrontation and conflict with us" and promised to release evidence of "the biggest security breach of the past decade."

This incident follows Handala's March 11 wiper attack on Stryker Corporation — the most operationally significant Iranian destructive cyberattack on U.S. infrastructure since Operation Epic Fury began — and represents an escalating pattern of Iranian cyber operations designed to target, embarrass, and degrade U.S. government institutions and law enforcement leadership as asymmetric leverage during the active military conflict.

// Source

📰 CNN Read Full Story →

ThreatMap USA summarizes publicly available reports for informational purposes. See our disclaimer.

// Incident Details

Incident Date2026-03-27
County District of Columbia
StateDC
Severity High
Incident Type Cyberattack, International
PublishedApril 5, 2026
SourceCNN

// More Incidents in District of Columbia

Trump Declares Iran Losing $500M Per Day Under Blockade, Confirms No Removal Until Deal Implemented, Claims Regime Change Achieved
Washington DC  ·  2026-04-20
High
US Notifies European Allies That Weapons Deliveries Face Delays as Iran War Draws Down American Military Stocks
Washington DC  ·  2026-04-17
High
FAA Selects Palantir, Thales and Air Space Intelligence to Build AI Tool for Air Traffic Control and Collision Prevention
Washington DC  ·  2026-04-17
Moderate