In December 2025, the Iranian-linked hacking group Handala claimed to have totally compromised the cellular units of two outstanding Israeli political figures.
Nevertheless, detailed evaluation by Kela cyber intelligence researchers revealed a extra restricted scope—the breaches focused Telegram accounts particularly, not full machine entry.
The group claimed to have breached former Prime Minister Naftali Bennett’s iPhone 13 throughout Operation Octopus, releasing contact lists, pictures, movies, and roughly 1,900 chat conversations.
Shortly after, they claimed comparable entry to Tzachi Braverman’s machine, the Israeli Chief of Workers. Regardless of these dramatic claims, the precise breach uncovered important gaps in account safety slightly than device-level compromise.
Kela analysts performed forensic examination of the leaked supplies and recognized that many of the uncovered conversations had been empty contact playing cards routinely generated by Telegram throughout synchronization.
Solely about 40 conversations contained precise messages, with even fewer displaying substantial exchanges. All uncovered contacts linked to energetic Telegram accounts, confirming the information originated from Telegram itself.
Contacts had been linked to energetic Telegram (Supply – Kela)
Kela researchers and analysts famous that the incident highlighted critical vulnerabilities in session administration and account safety practices, even on encrypted messaging platforms.
Understanding the an infection and account takeover mechanism reveals how Handala compromised these accounts with out full machine entry.
The group seemingly employed a number of assault vectors together with SIM swapping, the place attackers assume management of the sufferer’s cellphone quantity to obtain login verification codes.
They may additionally exploit SS7 protocol weaknesses in telecommunications infrastructure to intercept SMS messages on the community degree. Moreover, Handala could have utilized subtle phishing campaigns that captured one-time passwords via pretend login pages or malicious QR codes.
Session hijacking
Session hijacking represented one other possible vector, the place attackers copied the tdata folder from Telegram Desktop—the authentication file containing energetic session information that grants full account entry when restored elsewhere, bypassing OTP and multi-factor authentication completely.
The group’s operational method additionally included harvesting OTP codes via a number of strategies: triggering verification by way of voice calls, extracting codes from voicemail by exploiting unchanged default PINs, or impersonating Telegram assist to socially engineer workers into disclosing credentials.
Leaked information (Supply – Kela)
Telegram’s default settings considerably amplified these dangers. The cloud password characteristic stays optionally available and disabled by default, which means possession of an OTP alone offers full account entry.
Customary chats lack end-to-end encryption, storing information on Telegram servers as cloud chats slightly than regionally, increasing the assault floor significantly.
Handala publish on cybercrime platform BreachForums (Supply – Kela)
Handala first emerged in December 2023, establishing presence throughout a number of cybercrime boards and working varied Telegram channels and social media accounts.
Their operations primarily focused Israeli firms and organizations, persistently demonstrating assist for Iran and Palestinian causes all through their campaigns, indicating state-sponsored or state-sympathetic motivations.
Comply with us on Google Information, LinkedIn, and X to Get Extra Prompt Updates, Set CSN as a Most well-liked Supply in Google.
