In December 2025, the Iran-linked hacking group often called Handala escalated its affect operations towards Israel’s political institution by publishing materials it claimed was pulled from the totally “compromised” cellular units of two high-profile officers.
A technical assessment by risk intelligence agency KELA, nonetheless, signifies the intrusions have been far narrower in scope centered on unauthorized entry to Telegram accounts somewhat than complete machine takeover.
The primary alleged breach, branded by Handala as “Operation Octopus,” focused former Israeli Prime Minister Naftali Bennett.
The group claimed it had hacked Bennett’s iPhone 13 and launched contact lists, pictures, movies, and roughly 1,900 chat conversations.
The leak appeared designed to maximise political and psychological impression: uncovered contacts reportedly included senior Israeli officers, journalists, and enterprise executives.
Bennett initially denied that his machine had been compromised, however later acknowledged unauthorized entry to his Telegram account whereas sustaining that his telephone itself remained safe.
Quickly afterward, Handala claimed it had additionally breached the iPhone belonging to Tzachi Braverman, Chief of Employees to Prime Minister Benjamin Netanyahu.
In statements accompanying the leak, the group alleged it possessed encrypted communications, monetary data, and proof tied to corruption threatening extra disclosures framed round alleged political scandals.
In accordance with KELA’s information lake, Handala posted roughly 140 posts throughout platforms together with BreachForums, Ramp, and Exploit throughout this era.
The info Handala printed included contact lists for senior officers, movies from public occasions, and unclassified paperwork. Israel’s Prime Minister’s Workplace publicly denied the breach.
Handala Telegram Hack
KELA’s evaluation of the launched dataset challenges the group’s headline claims. Investigators discovered that the supposed “chat conversations” have been largely composed of empty contact playing cards robotically generated by Telegram when an account synchronizes contacts.
Out of the roughly 1,900 purported chats, solely round 40 contained precise messages, and fewer nonetheless confirmed significant exchanges.
The group’s websites ran on WordPress and, at occasions, left administrative login pages uncovered, revealing a major consumer account, “vie6c”, liable for working the positioning.
Critically, the contacts within the dump have been linked to lively Telegram accounts, supporting KELA’s evaluation that the supply of the information was Telegram account entry somewhat than deep forensic extraction from the underlying units.
The episode reinforces a key actuality of recent political concentrating on: messaging accounts may be hijacked by means of a number of pathways that don’t require “hacking the telephone.”
Frequent vectors embody SIM swapping and SMS interception, multi-step social engineering to seize one-time passcodes (together with voicemail-based OTP restoration), and phishing by way of faux Telegram login pages or malicious QR code flows that may immediately authorize a brand new session.
Implications
Telegram’s non-obligatory “cloud password” (its extra password layer) additionally stays a weak level when not enabled or when attackers can steal it by way of phishing, keylogging, or password reuse.
KELA additional assessed that session hijacking stays a sensible route for succesful actors. Telegram Desktop session materials saved within the “tdata” folder can grant full account entry if copied from a compromised workstation or from cloud-synced backups.
Whereas Handala has traditionally deployed infostealers and harmful malware by means of phishing campaigns impersonating trusted distributors, the most recent leaks recommend account-level compromise might ship ample impression with no full-device intrusion.
Handala first emerged publicly in late 2023 and has maintained a persistent presence throughout cybercrime boards and social platforms, repeatedly resurfacing after account takedowns.
Open-source reporting and OSINT analysis have linked the group to Iran’s broader cyber ecosystem, the place affiliated “leak manufacturers” are used to amplify coercion and narrative warfare even when technical entry is proscribed.
For officers and organizations, the incident is a reminder that “safe” apps are solely as sturdy as their session controls.
Enabling Telegram’s cloud password, tightening SIM safety with carriers, auditing lively classes, and isolating messaging from cloud backups can cut back the chance of account compromise particularly for high-value targets dealing with sustained spear-phishing and affect operations.
Comply with us on Google Information, LinkedIn, and X to Get Immediate Updates and Set GBH as a Most well-liked Supply in Google.
