Justice Department Disrupts Iranian Cyber Enabled Psychological Operations

The Justice Department announced the seizure of four domains as part of an ongoing effort to disrupt hacking and transnational repression schemes conducted by the Islamic Republic of Iran's Ministry of Intelligence and Security (MOIS). The affidavit supporting the seizure warrant can be found here. The seized domains - Justicehomeland[.]org, Handala-Hack[.]to, Karmabelow80[.]org, and Handala-Redwanted[.]to - were used by the MOIS in furtherance of attempted psychological operations targeting adversaries of the regime by claiming credit for hacking activity, posting sensitive data stolen during such hacks, and calling for the killing of journalists, regime dissidents, and Israeli persons. For example, the MOIS used the Handala-hack[.]to domain to claim credit for a March 2026 destructive malware attack against a U.S.-based multinational medical technologies firm.

"Terrorist propaganda online can incite real-world violence - thanks to our National Security Division and the U.S. Attorney's Office for the District of Maryland, this network of Iranian-backed sites will no longer broadcast anti-American hate," said Attorney General Pamela Bondi. "Our cyber assets will remain ever-vigilant to root out and deactivate networks that pose a threat to American citizens."

"Iran thought they could hide behind fake websites and keyboard threats to terrorize Americans and silence dissidents," said FBI Director Kash Patel. "We took down four of their operation's pillars and we're not done. This FBI will hunt down every actor behind these cowardly death threats and cyberattacks and will bring the full force of American law enforcement down on them."

"Iran, the leading state sponsor of terrorism worldwide, used the seized domains to dox and harass dissidents and journalists, incite violence against Jewish communities, and spread Tehran's anti-American propaganda," said Assistant Attorney General for National Security John A. Eisenberg. "NSD is committed to dismantling Iran's cyberwarfare infrastructure and detecting and preventing Iran's cyber-enabled terrorism."

"Unleashing terroristic ideology into the cybersphere is a direct threat to our national security. The U.S. Attorney's Office is committed to collaborating with our law-enforcement partners to identify threats, shut them down, and hold bad actors accountable," said Kelly O. Hayes, U.S. Attorney for the District of Maryland. "We will not hesitate to use all our resources and available tools to do whatever is necessary to ensure the safety and security of our nation."

"The Iranian regime exploits cyberspace to advance authoritarian objectives, suppress democratic institutions, and undermine our national and economic security," said FBI Baltimore Special Agent in Charge Jimmy Paul. "The FBI will act swiftly, deliberately, and proactively to disable cyber threats to America and use every available authority to ensure those responsible are identified, apprehended, and held accountable."

The FBI's investigation revealed that the four seized domains were linked to each other through shared leak sites, Iranian IP ranges, and a common operational "playbook." That playbook includes: destructive and disruptive cyber-attacks; and "faketivist" psychological operations using data stolen via hacking.

The Domains handala-hack[.]to and handala-redwanted[.]to

As alleged in court documents, after the U.S.-Iran conflict began on February 28, 2026, the MOIS-controlled domains handala-hack[.]to and handala-redwanted[.]to published personally identifiable information ("PII") associated with targeted individuals. The domain handala-hack[.]to also claimed responsibility for hacks conducted by the group. Specifically:

• On March 11, 2026, Handala Hack, via the Handala-hack[.]to domain, claimed credit for conducting a destructive malware attack against a U.S.-based multinational medical technologies firm. The Handala Hack persona claimed the hack was retaliation for "ongoing cyber assaults against the infrastructure of the Axis of Resistance."
• As of March 9, 2026, Handala Hack, via the Handala-redwanted[.]to domain, posted the names and sensitive PII of approximately 190 individuals associated with or employed by the Israeli Defense Force (IDF) and/or Israeli government. The Handala Hack posting contained threats indicating the individuals were being monitored, their residences were known, and that consequences would soon follow.
• On March 6, 2026, Handala Hack, via the Handala-hack[.]to domain, posted names and confidential data corresponding to individuals Handala Hack claimed worked for the IDF. The post stated, in part, "Your iPhone 12 Pro Max holds no security for us; we even know your exact location…," and urged "People of the Axis of Resistance! See these names and respond to these Zionist pigs yourselves."
• On March 6, 2026, Handala Hack, via the Handala-hack[.]to domain, claimed it stole 851 gigabytes of confidential data from members of the Sanzer Hasidic Jewish community, including "documents of financial cooperation, witchcraft ceremonies, and secret correspondences with Netanyahu ..." The post continued "We warn the leaders and members of the Sanzer Hasidic community: No place is safe for you. Betrayal of the oppressed leads to nothing but disgrace and shame. Expect more documents to be revealed. Handala Hack[.]"

These threats and the related information were not just publicly posted. The FBI's investigation also revealed that the email account Handala_Team@outlook[.]com was used to send death threats to Iranian dissidents and journalists living in the United States and abroad. In those communications, Handala Hack offered bounties and openly called for Mexican cartel "partners" to commit acts of violence against Handala Hack's targets. Specifically, on or about March 1, 2026, the Handala_Team@outlook[.]com account was used to email two victims, located in the United States and abroad. In an email with the subject line "Death to [redacted victim names]," the sender wrote:

"We the Handala Hack team, the loyal followers of the supreme leader Ali Hosseini Khamenei, declare war on all the enemies of Islam in the West. Our partners, the CJNG [Jalisco New Generation Cartel] cartel in America and Canada have been given a list of our enemies who are responsible for our great leaders [sic] death. [Redacted names], you laughed like hyenas during the [redacted] show. We have hacked and revealed your home addresses in [redacted] and [redacted] to our partners in the CJNG who are in [redacted U.S. state] and [redacted foreign country] now. Both of you will be executed soon, and we have offered a reward of $250,000 for the operatives who kills [sic] and beheads both of you. ALLAHU AKBAR[.]"

The domain handala-hack[.]to was also used as part of a broader effort to intimidate and harass Iranian dissidents and journalists living in the United States and abroad. According to investigators, threat actors associated with the domain directed online threats toward individuals who publicly criticized the Iranian government. In those cases, the MOIS attempts to embarrass and discredit its targets by circulating messages and content intended to damage their reputation. By leveraging online platforms linked to the domain, MOIS sought to amplify its online threats, pressure critics, and discourage independent reporting, while creating fear among members of the Iranian diaspora critical of the regime.

The Domains Justicehomeland[.]org and Karmabelow80[.]org

The domains Justicehomeland[.]org and Karmabelow80[.]org were the official websites of a shell hacktivist entity used by MOIS. On or about July 15, 2022, and September 9, 2022, MOIS actors used the Justicehomeland[.]org domain to claim responsibility for stealing sensitive documents from Albanian government organizations. The motivation for leaking this information appears to be the Albanian government's decision to support an Iranian dissident group called Mujahedeen e-Khalq or "MEK." MEK has, in the past, openly advocated for the overthrow of the Iranian government.

In addition to these enforcement actions, the Department of State's Rewards for Justice program is offering a reward of up to $10 million for information on any person who, while acting at the direction or under the control of a foreign government, engages in certain malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse. Read more about this reward offer on the Rewards for Justice website.

The FBI Baltimore Field Office is investigating the case, in coordination with FBI Cyber Division.

The United States Attorney's Office for the District of Maryland and the National Security Division's National Security Cyber Section are prosecuting the case.