Was FBI Director Kash Patel Hacked by Iranian Bad Actors?

“Today, once again, the world witnessed the collapse of America’s so-called security legends,” reads the website of the Iranian hacktivist group Handala Hack.

The group published a series of personal images linked to FBI Director Kash Patel, boasting that his name was now “among the list of successfully hacked victims”.

The images – now spreading across social media – are stamped with the threat group’s watermark and shows Patel sniffing a cigar, posing with alcohol and stood beside a jet. 

Alongside the nine released pictures was a sample of more than 300 work-related and personal emails dated between 2010 and 2019.   

The hacking, the group claims, was in retaliation to the FBI’s ceasing of Handala-linked domains. The bureau had also offered a reward of US$10m for information on members linked to the group. 

“We decided to respond to this ridiculous show in a way that will be remembered forever,” the Handala statement notes. 

Though Handala Hack gained access to the personal email account of the FBI Chief, the agency notes that the data released are historical in nature and involve no government information.

The age of the data has prompted speculation that it is linked to a previous breach by Iranian actors, which targeted Patel back in 2024.

An FBI statement says it is "aware of malicious actors targeting Director Patel’s personal email information and we have taken all necessary steps to mitigate potential risks associated with this activity". 

Hacking offensive

Handala has been taking aggressive action ever since the US-Israeli war on Iran began, hitting US medical giant Stryker, which suffered major disruption to its services.

The attack, which saw hundreds of thousands of devices wiped (as claimed by the threat actor) and logins defaced was, according to the group, retaliation for the bombing of the Minab school in Iran which killed 168 people, including school girls.  

The advanced persistent threat (APT) – linked to the Islamic Revolutionary Guard Corps – also goes by aliases: Void Manticore and Storm-842.

“This incident highlights a persistent vulnerability – the gap between enterprise-grade security and personal account security,” says James Turgal, VP of Global Cyber Risk and Board Relations at Optiv. 

“High-profile individuals remain prime targets and standard consumer email protections are rarely sufficient against state-sponsored threat actors. This will be a recurring theme in the months to come, as Iran seeks to expand its cyberwarfare activities, as its ability for a kinetic response diminishes. 

“Organisations spend millions securing their internal networks, but threat actors simply pivot to the softest target – the personal, unmanaged devices and email accounts of the people connected to those networks. 

In a world where security is becoming increasingly complex, “nation state and advanced persistent threat ‘APT’ groups frequently rely on highly tailored spear-phishing and social engineering attacks to bypass technical defenses,” James explains. 

He continues: “Compromising a current administration official's personal email is rarely the end goal for a state-sponsored group. Threat actors typically use these compromised accounts to map out social networks, gather intelligence or launch highly credible secondary phishing attacks against additional officials. 

Fallout and aftermath 

James notes that the incident targeting Patel was a classic case of credential harvesting. 

“Iranian APTs are known for their patience, often monitoring an inbox for months to understand communication patterns before using that access to pivot toward higher-value targets," he says. "We are seeing a normalisation of cyber-espionage targeting individuals rather than just institutions. 

According to Francisco Zuazo, Manager of Global Threat Ops at Carnival Corporation, the hack serves as a reminder that “no one is untouchable”.

“Even the FBI Director’s personal email wasn’t safe,” Francisco wrote on LinkedIn. "Iran-linked Handala Hack Team dumped 300+ old emails & photos from Kash Patel’s account and the FBI confirmed it."

Acknowledging that personal accounts are primary targets in state-backed cyber operations, Francisco warns to “stop reusing passwords”.

“Handala Hack team’s breach of FBI Director Kash Patel’s Gmail isn’t just embarrassing – it’s a geopolitical flex," he goes on. "Old emails and personal pics leaked by Iran-linked actors show how adversaries are shifting from infrastructure to individuals at the top. 

He elaborates that the lesson here is that “high-profile targets get hit through the path of least resistance”. 

The exec advises to enable MFA for all applications and to keep separate accounts for work and personal activities. 

Going further, Francisco notes that it is imperative to “treat every inbox like it’s already compromised.”