What happened
The FBI seized four domains used by Iran’s Ministry of Intelligence and Security to publish stolen data and support cyber operations under personas like “Handala.” The sites hosted information taken from victims including the government of Albania, Iranian dissidents, Israeli officials, and U.S. companies. Authorities said the infrastructure had been used since at least 2022 to conduct cyberattacks, leak stolen data, and carry out influence and intimidation campaigns. The takedown followed a court-approved seizure warrant and comes after the same group claimed responsibility for recent attacks, including the disruption of medical technology company Stryker.
Who is affected
Victims include government entities, private organizations, and individuals whose data was stolen and published on the seized websites, as well as broader targets of Iran-linked cyber operations.
Why CISOs should care
The operation highlights how nation-state actors use public leak sites as part of cyber campaigns—combining data theft, psychological operations, and public exposure to amplify impact beyond the initial breach.
3 practical actions
- Monitor for data exposure on leak sites. Track whether organizational data appears in public dumps or threat actor platforms.
- Assess nation-state threat exposure. Evaluate risk from groups using both cyber intrusion and information operations.
- Prepare for secondary impacts. Account for reputational, legal, and operational risks tied to public data leaks.
For more coverage of major incidents and threat activity, explore our reporting on Cyberattacks.