Iranian-aligned hackers sent threatening WhatsApp messages to some U.S. service members at bases in the Persian Gulf, warning that they were about to be targeted by missiles and drones.
“Your identities are fully known to our missile units,” at least one of the messages sent Monday read. “Very soon, you will be targeted by our Shahed drones and Kheibar and Ghadeer missiles.”
Both the FBI and military authorities are investigating the texts, which were claimed by the Handala Hack Team. The group claimed on its Telegram channels to have compromised personal information for thousands of troops deployed to the region, a hack it called a “drop in the ocean” of the group’s capabilities. Though some of the publicly leaked phone numbers appeared incomplete and outdated, Handala did manage to text personnel stationed in Bahrain, where the U.S. Fifth Fleet is headquartered.
“What we are seeing now is much more personal and psychological,” said Ensar Seker, chief information security officer at the cyber intelligence firm SOC Radar. “The objective is no longer only technical disruption, it is intimidation, influence, and creating fear among the deployed personnel, or potentially their families.”
A spokesman for the Naval Criminal Investigative Service confirmed to Task & Purpose that the agency and the FBI is investigating “a threatening communication that was recently received by U.S. Marines and U.S. Navy personnel affiliated with prior or current service within the Persian Gulf region.” The spokesman declined to comment further, including on the number of service members who received a message.
Handala, which emerged in 2023 amid a flurry of pro-Palestinian hacktivism during Israel’s war on Gaza, has previously carried out website defacements and DDoS attacks. But cyber experts said the group’s latest actions show they’re becoming more sophisticated and bold, just as a fragile U.S.-Iran ceasefire appears on the verge of breaking down. It also comes after the Navy told sailors this month to lock down their online footprints as cyber threats ticked up during the war.
Like many politically motivated cyber groups, Handala has a history of mixing legitimate activity with exaggeration, but they have had notable successes.
Top Stories This Week
In March, Handala successfully breached FBI Director Kash Patel’s personal Gmail account. The group also attacked a medical equipment supplier with large Pentagon contracts using cloud administration tools rather than traditional malware, a tactic that surprised some cyber researchers.
The group’s Bahrain messages and leak of U.S. service member data may have had flaws, but it was still troubling to experts. “The important question is not whether every number they publish is accurate,” Seker said, but “whether they process enough real information to identify, contact, and intimidate or socially engineer individuals.”
“Even a relatively small amount of verified personal data can be operationally useful for harassment campaigns, for phishing, or impersonation attempts,” Seker added.
U.S. Central Command declined to comment on the leaks.
The threat is changing
The Handala Hack Team, which takes its name and logo from a popular Palestinian cartoon of a barefoot refugee boy, is largely believed to be affiliated with Iranian intelligence. Attributing responsibility in a cyber attack is always difficult, and there might not be a direct command-and-control relationship between Handala and Iran, but the group has been in lockstep with the Islamic Republic’s messaging and priorities.
Following the ceasefire negotiations, Handala published a message on their official channels claiming they were acting “according to the orders from the highest leadership of the Resistance Axis.”
“This type of operational language is notable,” the cybersecurity firm Outpost24 assessed at the time. “While not definitive, it strengthens the assessment that Handala Hack Team may operate as a proxy or aligned actor within a broader state-linked campaign.”
SOC Radar, which launched a public dashboard to track cyber attacks during the Iran War, has found that Handala and other cyber groups opposed to the U.S. and its allies are increasingly collaborating.
When Handala’s Telegram channels are suspended for violating rules around malware and data theft, for instance, other pro-Russian and pro-Iranian hacktivists have started to quickly promote the new channel launhed by Handala personnel. In the past, Seker said, it took weeks to create a new channel and publicize it.
The larger network has also appeared to help Handala with recruitment and the sharing of hacked information. In a recent case, SOC Radar identified a Handala bot asking sympathetic Telegram users what skills they could offer to help the cause, while also requesting phone numbers and identification information.
That type of activity by Handala and other groups may have encouraged a Navy-wide notice in recent weeks urging sailors to take basic precautions, like turning off Bluetooth and WiFi connections when they’re not using their devices, as well as to “beware of dating or other apps” that encourage the sharing of personal photos and details.
“What you’re seeing is a broad revolution where cyber operations, psychological influence, intimidation, recruitment and information warfare are increasingly blended together,” Seker said. “The technical breach itself is only part of the story.”
