In December 2025, the Iran-linked hacking group referred to as Handala escalated its affect operations towards Israel’s political institution by publishing materials it claimed was pulled from the absolutely “compromised” cellular gadgets of two high-profile officers.
A technical overview by menace intelligence agency KELA, nonetheless, signifies the intrusions had been far narrower in scope centered on unauthorized entry to Telegram accounts quite than complete machine takeover.
The primary alleged breach, branded by Handala as “Operation Octopus,” focused former Israeli Prime Minister Naftali Bennett.
The group claimed it had hacked Bennett’s iPhone 13 and launched contact lists, photographs, movies, and roughly 1,900 chat conversations.
The leak appeared designed to maximise political and psychological impression: uncovered contacts reportedly included senior Israeli officers, journalists, and enterprise executives.
Bennett initially denied that his machine had been compromised, however later acknowledged unauthorized entry to his Telegram account whereas sustaining that his telephone itself remained safe.
Quickly afterward, Handala claimed it had additionally breached the iPhone belonging to Tzachi Braverman, Chief of Employees to Prime Minister Benjamin Netanyahu.
In statements accompanying the leak, the group alleged it possessed encrypted communications, monetary data, and proof tied to corruption threatening further disclosures framed round alleged political scandals.
In line with KELA’s information lake, Handala posted roughly 140 posts throughout platforms together with BreachForums, Ramp, and Exploit throughout this era.
The information Handala printed included contact lists for senior officers, movies from public occasions, and unclassified paperwork. Israel’s Prime Minister’s Workplace publicly denied the breach.
Handala Telegram Hack
KELA’s evaluation of the launched dataset challenges the group’s headline claims. Investigators discovered that the supposed “chat conversations” had been largely composed of empty contact playing cards mechanically generated by Telegram when an account synchronizes contacts.
Out of the roughly 1,900 purported chats, solely round 40 contained precise messages, and fewer nonetheless confirmed significant exchanges.
The group’s websites ran on WordPress and, at instances, left administrative login pages uncovered, revealing a major consumer account, “vie6c”, accountable for working the positioning.
Critically, the contacts within the dump had been linked to energetic Telegram accounts, supporting KELA’s evaluation that the supply of the information was Telegram account entry quite than deep forensic extraction from the underlying gadgets.
The episode reinforces a key actuality of contemporary political focusing on: messaging accounts could be hijacked by means of a number of pathways that don’t require “hacking the telephone.”
Frequent vectors embrace SIM swapping and SMS interception, multi-step social engineering to seize one-time passcodes (together with voicemail-based OTP restoration), and phishing through pretend Telegram login pages or malicious QR code flows that may immediately authorize a brand new session.
Implications
Telegram’s optionally available “cloud password” (its further password layer) additionally stays a weak level when not enabled or when attackers can steal it through phishing, keylogging, or password reuse.
KELA additional assessed that session hijacking stays a sensible route for succesful actors. Telegram Desktop session materials saved within the “tdata” folder can grant full account entry if copied from a compromised workstation or from cloud-synced backups.
Whereas Handala has traditionally deployed infostealers and harmful malware by means of phishing campaigns impersonating trusted distributors, the newest leaks counsel account-level compromise could ship adequate impression with out a full-device intrusion.
Handala first emerged publicly in late 2023 and has maintained a persistent presence throughout cybercrime boards and social platforms, repeatedly resurfacing after account takedowns.
Open-source reporting and OSINT analysis have linked the group to Iran’s broader cyber ecosystem, the place affiliated “leak manufacturers” are used to amplify coercion and narrative warfare even when technical entry is proscribed.
For officers and organizations, the incident is a reminder that “safe” apps are solely as robust as their session controls.
Enabling Telegram’s cloud password, tightening SIM safety with carriers, auditing energetic classes, and isolating messaging from cloud backups can cut back the danger of account compromise particularly for high-value targets going through sustained spear-phishing and affect operations.
Observe us on Google Information, LinkedIn, and X to Get On the spot Updates and Set GBH as a Most well-liked Supply in Google.
