Claims by an Iran-linked cyber group that it had fully compromised the mobile phones of senior political figures in Israel triggered a swift response from security analysts, who say the operation was more limited but still underscores a widening digital pressure campaign aimed at officials and public trust.
Handala Hackers, a collective long tracked for its online activity aligned with Tehran’s strategic messaging, published material in December 2025 it said was extracted from the phones of two high-profile figures connected to Israel’s political establishment. The group portrayed the breach as a deep intrusion, asserting that entire devices had been accessed and controlled. The disclosures, circulated through encrypted channels and sympathetic online forums, included screenshots, fragments of private correspondence and references to contact lists.
Cybersecurity specialists who examined the material concluded that the intrusions were narrower than claimed. Technical assessments indicated that the attackers had gained unauthorised access to Telegram accounts rather than full control of the devices themselves. Analysts pointed to metadata, message continuity and the absence of system-level artefacts as evidence that the compromise was limited to account takeover, likely achieved through phishing or exploitation of weak authentication practices.
Despite the constrained scope, the incident has been treated by security officials as significant. Telegram remains a widely used platform among political figures, advisers and journalists for rapid communication, making even partial access potentially damaging. The exposure of private conversations, even when selectively curated, can be leveraged to embarrass officials, distort narratives or seed disinformation.
The group’s messaging strategy followed a familiar pattern. Handala framed the operation as a major intelligence success, amplifying its claims through coordinated online activity designed to maximise attention. Cyber experts noted that exaggeration is a common tactic in influence operations, where perception often matters as much as technical achievement. By asserting total compromise, attackers seek to undermine confidence in the digital hygiene of political leaders and the institutions they represent.
Security professionals assessing the breach highlighted how account-level intrusions can occur without advanced malware. Social engineering techniques, including convincing messages that prompt targets to enter one-time codes or approve logins, remain effective against even experienced users. In some cases, attackers exploit SIM-swapping or weaknesses in cloud backups to reset credentials. The Handala incident, analysts said, appeared consistent with such methods rather than sophisticated zero-day exploits.
Officials affected by the breach have not publicly detailed the extent of the compromise, but people familiar with the matter said remedial steps were taken quickly once the unauthorised access was detected. These measures included resetting credentials, reviewing active sessions and strengthening authentication controls. Security teams also reviewed whether any sensitive operational or policy-related discussions had been exposed.
The episode fits into a broader pattern of cyber activity attributed to groups aligned with Iran, which have increasingly combined hacking with psychological and information operations. Over the past year, such actors have targeted government agencies, infrastructure providers and individuals across the Middle East and beyond, often coupling limited technical breaches with aggressive propaganda to magnify impact.
Telegram, for its part, has repeatedly said that account security depends heavily on user practices and that features such as two-step verification and session management tools are designed to prevent unauthorised access. Cyber advisers argue that public figures face heightened risk and should treat messaging apps with the same caution as official email systems, including the use of hardware-backed authentication and dedicated devices for sensitive communications.
Within Israel’s security community, the Handala disclosures have renewed debate over the balance between accessibility and security in political communications. While encrypted messaging platforms offer speed and confidentiality, they also create single points of failure if accounts are compromised. Officials have been urged to limit the sharing of sensitive material over consumer applications and to assume that any platform could be targeted.
Handala Hackers, a collective long tracked for its online activity aligned with Tehran’s strategic messaging, published material in December 2025 it said was extracted from the phones of two high-profile figures connected to Israel’s political establishment. The group portrayed the breach as a deep intrusion, asserting that entire devices had been accessed and controlled. The disclosures, circulated through encrypted channels and sympathetic online forums, included screenshots, fragments of private correspondence and references to contact lists.
Cybersecurity specialists who examined the material concluded that the intrusions were narrower than claimed. Technical assessments indicated that the attackers had gained unauthorised access to Telegram accounts rather than full control of the devices themselves. Analysts pointed to metadata, message continuity and the absence of system-level artefacts as evidence that the compromise was limited to account takeover, likely achieved through phishing or exploitation of weak authentication practices.
Despite the constrained scope, the incident has been treated by security officials as significant. Telegram remains a widely used platform among political figures, advisers and journalists for rapid communication, making even partial access potentially damaging. The exposure of private conversations, even when selectively curated, can be leveraged to embarrass officials, distort narratives or seed disinformation.
The group’s messaging strategy followed a familiar pattern. Handala framed the operation as a major intelligence success, amplifying its claims through coordinated online activity designed to maximise attention. Cyber experts noted that exaggeration is a common tactic in influence operations, where perception often matters as much as technical achievement. By asserting total compromise, attackers seek to undermine confidence in the digital hygiene of political leaders and the institutions they represent.
Security professionals assessing the breach highlighted how account-level intrusions can occur without advanced malware. Social engineering techniques, including convincing messages that prompt targets to enter one-time codes or approve logins, remain effective against even experienced users. In some cases, attackers exploit SIM-swapping or weaknesses in cloud backups to reset credentials. The Handala incident, analysts said, appeared consistent with such methods rather than sophisticated zero-day exploits.
Officials affected by the breach have not publicly detailed the extent of the compromise, but people familiar with the matter said remedial steps were taken quickly once the unauthorised access was detected. These measures included resetting credentials, reviewing active sessions and strengthening authentication controls. Security teams also reviewed whether any sensitive operational or policy-related discussions had been exposed.
The episode fits into a broader pattern of cyber activity attributed to groups aligned with Iran, which have increasingly combined hacking with psychological and information operations. Over the past year, such actors have targeted government agencies, infrastructure providers and individuals across the Middle East and beyond, often coupling limited technical breaches with aggressive propaganda to magnify impact.
Telegram, for its part, has repeatedly said that account security depends heavily on user practices and that features such as two-step verification and session management tools are designed to prevent unauthorised access. Cyber advisers argue that public figures face heightened risk and should treat messaging apps with the same caution as official email systems, including the use of hardware-backed authentication and dedicated devices for sensitive communications.
Within Israel’s security community, the Handala disclosures have renewed debate over the balance between accessibility and security in political communications. While encrypted messaging platforms offer speed and confidentiality, they also create single points of failure if accounts are compromised. Officials have been urged to limit the sharing of sensitive material over consumer applications and to assume that any platform could be targeted.
Topics
Technology