A group of hackers widely believed to be supported by Iran’s government breached a personal email account belonging to FBI director Kash Patel, which contained material dating from 2010 to 2019. The hackers claimed this was in retaliation for recent FBI operations against them.
The impacted account contained some potentially sensitive personal information, such as banking details and documents, but was not found to contain sensitive government or classified information. Patel was working as a federal public defender and a staffer at the Department of Justice during most of this period, joining the National Security Council’s International Organizations and Alliances directorate in February 2019 and seemingly ceasing his regular use of the Gmail account sometime shortly after.
Unclear how FBI director’s old Gmail account was breached
The breach was claimed by Handala Hack Team, the hackers also recently in the news for stealing data from Lockheed Martin and medical firm Stryker. The group claims to be an independent “pro-Palestine” entity, but security experts broadly believe it is associated directly with the government of Iran.
A US government statement indicated that the Gmail account did not contain sensitive or classified government information. The hackers leaked some screenshots of elements such as Patel’s resume and some photos of him along with a collection of about 300 emails and some travel receipts, but do not appear to have dumped the full contents as of yet. From what was leaked, there does not even appear to be much personally sensitive information involved; the photos show Patel in unremarkable leisure activities such as smoking a cigar and posing with a vintage car.
There have been no public details about how the FBI director’s old Gmail account was breached, but it has been listed previously in breach lists kept by security firm District 4 Labs. An independent security researcher reviewing the leaked files for CNN characterized the account as a “personal junk drawer” rather than any source of secrets. The hackers nevertheless boasted about the breach in a message posted to their web site on March 27, claiming it was a “collapse” of a “security legend” and that they had penetrated FBI systems (a claim for which there remains no evidence).
Regardless of the total damage in this specific case, Ross Filipek (CISO at Corsica Technologies) notes that this avenue of attack should be expected on senior figures during armed exchanges: “The privacy takeaway is blunt: personal accounts are not personal during conflict. They are part of the attack surface, and leaders need the same disciplined identity controls and monitoring that we expect in high security enterprise environments.”
Michael Bell, Founder & CEO of Suzu Labs, agrees: “Every government official with a clearance should look at this and ask whether their personal accounts would survive the same scrutiny, because Iran’s MOIS is not the only service running this playbook.”
Iranian hackers have been highly active during military conflict
While security researchers are fairly certain the hackers work with the Iranian government (if not directly being a part of it), the FBI is now offering a $10 million USD reward for information that leads to the identification of specific members.
Some analysts believe that the hackers may have simply found the FBI director’s information amidst the contents of old data breaches. It would explain the age of the contents, and how they were able to penetrate a Gmail account that Patel seemingly abandoned years ago (making it unlikely he would respond to the usual phishing approaches).
The FBI previously seized several domains used by the hackers about two weeks ago. In addition to launching its attacks, the group hosts a number of websites promoting Iranian government aims and calling for assassinations of journalists and dissidents critical of it. Handala has responded to the FBI’s bounty on them by placing a $50 million bounty on the lives of US president Donald Trump and Israeli prime minister Benjamin Netanyahu.
Just before Patel was named as the new FBI director in December 2024, reports from anonymous inside sources to CBS indicated that his email accounts had been targeted by hackers from Iran. However, that report never made clear if these hackers were successful or not. Iranian hackers have been targeting figures close to Trump since the 2020 drone strike killing of armed forces commander Qasem Soleimani, and three Islamic Revolutionary Guard Corps (IRGC) members were eventually charged with successfully hacking Trump staffer emails and leaking the contents to Democrat rivals.
Noelle Murata, Sr. Security Engineer at Xcape, provides some advice on what public figures should expect when being targeted by these threat actors: “To defend against similar targeted campaigns, executives must move beyond basic Multi-Factor Authentication (MFA) and adopt hardware security keys (e.g., FIDO2/YubiKeys) for all personal accounts.”
“Furthermore, organizations should implement strict “digital hygiene” policies that forbid the mixing of personal and professional correspondence, as even a decade-old resume can provide a roadmap for an adversary,” Murata added. “The technical reality is that the Internet never forgets, and a single lapse in personal security can undermine the perceived integrity of the most powerful law enforcement agency in the world.”
As for Handala’s other projects, the supposed independent hacktivist group has been highly active since the initial spate of US missile strikes on Iran. The hit on Lockheed Martin involved stealing the personal information of 28 senior engineers, some of which work on US fighter jets and other military projects. The hackers reportedly obtained home addresses, passport scans and ID numbers and issued threats to engineers living in Israel demanding that they leave the country or face missile strikes on their homes (something that has not happened). A different Iranian hacking group also claimed to steal some 375 TB of data from the company, including technical blueprints for the F-35 plane.
The group also hit Stryker with a damaging attack in early March, deploying wiper malware on about 200,000 company devices and claiming to have stolen about 50 TB of data. While the wiper attack has appeared to be confirmed by company employees, it is unclear if or how much data was stolen.
