In December 2025, the Iran-linked hacking group generally known as Handala escalated its affect operations towards Israel’s political institution by publishing materials it claimed was pulled from the absolutely “compromised” cell units of two high-profile officers.
A technical evaluate by menace intelligence agency KELA, nevertheless, signifies the intrusions had been far narrower in scope centered on unauthorized entry to Telegram accounts relatively than complete gadget takeover.
The primary alleged breach, branded by Handala as “Operation Octopus,” focused former Israeli Prime Minister Naftali Bennett.
The group claimed it had hacked Bennett’s iPhone 13 and launched contact lists, images, movies, and roughly 1,900 chat conversations.
The leak appeared designed to maximise political and psychological influence: uncovered contacts reportedly included senior Israeli officers, journalists, and enterprise executives.
Bennett initially denied that his gadget had been compromised, however later acknowledged unauthorized entry to his Telegram account whereas sustaining that his telephone itself remained safe.
Quickly afterward, Handala claimed it had additionally breached the iPhone belonging to Tzachi Braverman, Chief of Employees to Prime Minister Benjamin Netanyahu.
In statements accompanying the leak, the group alleged it possessed encrypted communications, monetary information, and proof tied to corruption threatening extra disclosures framed round alleged political scandals.
Based on KELA’s knowledge lake, Handala posted roughly 140 posts throughout platforms together with BreachForums, Ramp, and Exploit throughout this era.
The information Handala revealed included contact lists for senior officers, movies from public occasions, and unclassified paperwork. Israel’s Prime Minister’s Workplace publicly denied the breach.
Handala Telegram Hack
KELA’s evaluation of the launched dataset challenges the group’s headline claims. Investigators discovered that the supposed “chat conversations” had been largely composed of empty contact playing cards robotically generated by Telegram when an account synchronizes contacts.
Out of the roughly 1,900 purported chats, solely round 40 contained precise messages, and fewer nonetheless confirmed significant exchanges.
The group’s websites ran on WordPress and, at instances, left administrative login pages uncovered, revealing a major consumer account, “vie6c”, answerable for working the location.
Critically, the contacts within the dump had been linked to energetic Telegram accounts, supporting KELA’s evaluation that the supply of the info was Telegram account entry relatively than deep forensic extraction from the underlying units.
The episode reinforces a key actuality of contemporary political concentrating on: messaging accounts may be hijacked by means of a number of pathways that don’t require “hacking the telephone.”
Widespread vectors embrace SIM swapping and SMS interception, multi-step social engineering to seize one-time passcodes (together with voicemail-based OTP restoration), and phishing by way of pretend Telegram login pages or malicious QR code flows that may immediately authorize a brand new session.
Implications
Telegram’s elective “cloud password” (its extra password layer) additionally stays a weak level when not enabled or when attackers can steal it by way of phishing, keylogging, or password reuse.
KELA additional assessed that session hijacking stays a sensible route for succesful actors. Telegram Desktop session materials saved within the “tdata” folder can grant full account entry if copied from a compromised workstation or from cloud-synced backups.
Whereas Handala has traditionally deployed infostealers and harmful malware by means of phishing campaigns impersonating trusted distributors, the newest leaks recommend account-level compromise could ship enough influence and not using a full-device intrusion.
Handala first emerged publicly in late 2023 and has maintained a persistent presence throughout cybercrime boards and social platforms, repeatedly resurfacing after account takedowns.
Open-source reporting and OSINT analysis have linked the group to Iran’s broader cyber ecosystem, the place affiliated “leak manufacturers” are used to amplify coercion and narrative warfare even when technical entry is restricted.
For officers and organizations, the incident is a reminder that “safe” apps are solely as robust as their session controls.
Enabling Telegram’s cloud password, tightening SIM safety with carriers, auditing energetic periods, and isolating messaging from cloud backups can scale back the danger of account compromise particularly for high-value targets going through sustained spear-phishing and affect operations.
Observe us on Google Information, LinkedIn, and X to Get Immediate Updates and Set GBH as a Most well-liked Supply in Google.
