Handala claims full control of newsroom systems, targets specific reporters, and prepares to leak sensitive information—marking a dangerous escalation in cyber-political warfare.
Pro-Iranian Group Handala Claims Full-Scale Hack of Iran International’s Systems
On Tuesday, a pro-Tehran hacktivist group known as Handala claimed responsibility for a large-scale cyberattack on Iran International, one of the only independent Persian-language news outlets reporting on Iranian affairs. The group announced the attack via its dark web leak site and Telegram channel, labeling it “Operation Handala.”
In their statement, the hackers alleged that they had gained full control over the outlet’s internal infrastructure, stating:
“All of the network’s systems, servers, and communication infrastructure have been fully compromised and infected. A complete internal data dump has been extracted.”
According to Handala, the stolen data includes sensitive material such as internal communications, the personal and security details of staff members, and banking and financial records. More critically, the group claims to have seized access to Iran International’s main “secure” messaging account, used for communicating with sources inside Iran and abroad.
They assert this includes:
- Full identity profiles of over 71,000 informants and readers
- Confidential reports, attachments, videos, and images
- Communications with foreign intelligence and coordination teams
The group says this data has already been indexed and archived and that selected portions will be released soon.
Targeted Threats Against UK-Based Journalists and Imminent Data Exposure
Beyond the breach itself, Handala has launched a wave of threats against individual journalists—particularly those based in the UK. Prominent broadcaster Mojtaba Pourmohsen, one of Iran International’s lead anchors, has been singled out. The group threatened to release personal images and messages allegedly retrieved from his communications unless he “remains silent.”
In a statement posted on their dark blog, Handala said:
“We know about the afternoon call with your Mossad handler. Stop speaking. Or we will release everything.”
Handala has also warned that beginning Wednesday, it will target female staff and affiliated analysts, implying the use of personal and potentially compromising material obtained in the breach.
Hacked Data Includes Communications, Bank Records, Informant Logs, and Media Archives
According to the group’s claims, the stolen data is wide-ranging and highly sensitive. In addition to journalist and staff information, Handala says it now holds access to the identities of the outlet’s media liaisons, foreign contacts, and even encrypted channels previously considered secure by both sources and employees.
Their message claims the breach has captured:
- Personal security information of staff
- Internal and external editorial discussions
- Communications between Iran International and intelligence agencies
- Archived media content and evidence of alleged coordination with foreign services
Handala says it is cross-referencing the information against intelligence databases and promises to make select records public as part of its broader campaign.
Motivations Behind the Attack: Allegations of Espionage and Foreign Sponsorship
Handala accuses Iran International of being a “media-based espionage and influence network” funded by Israeli intelligence services. They claim the outlet receives “tens of millions of dollars per month” from Mossad and works as a psychological warfare tool.
Calling the organization a “falsely-branded independent media outlet,” Handala says the attack was both retribution and a warning to Iranians who engage with the platform:
“To everyone who has reached out to this network: You are being watched. Your information has been logged. And your reckoning is near.”
Telegram Shutdowns Spark Further Hostility and Retaliation
Handala also used the breach to criticize platforms like Telegram, which removed the group’s 20th official channel shortly after the attack announcement. In retaliation, the group created a 21st channel—which was again taken down—and accused Telegram of censorship and media bias.
In response, they escalated threats toward Iran International’s newsroom and accused journalists of participating in “media terrorism.” The takedowns, they claim, further justify their campaign of digital retaliation.
Iran International’s Security History and Broader Context of Iranian Cyber Activity
Iran International operates under Volant Media, headquartered in London, with additional offices in Washington, DC, and Paris. Despite branding itself as an independent source of news for the Iranian people, the outlet has faced scrutiny from both the Iranian regime and critics abroad.
In 2023, following direct threats against its UK-based journalists, the outlet temporarily moved its London operations to Washington, DC.
This attack occurs against the backdrop of increasing cyber hostilities tied to Middle East tensions. Since the June 21 airstrikes on Iranian nuclear facilities, US Homeland Security has issued multiple advisories about Iranian cyber threats, including low-level DDoS attacks on U.S. banks, energy infrastructure, and political targets like Donald Trump and his TruthSocial platform.
Handala is just one of over 130 known pro-Iranian hacktivist groups, several of which—including the Cyber Jihad Movement, Mr. Hanza, and Holy League—have ramped up operations in recent months.
From Data Breach to Crisis Response
For media organizations and politically sensitive institutions, this type of attack highlights the urgent need for more than traditional cybersecurity. When attackers aim to dox staff and weaponize internal communication, safeguarding the integrity and availability of data becomes mission-critical.
That’s where immutable backup and recovery solutions step in—ensuring even if the worst happens, you can restore operations quickly and securely.
Looking for a trusted recovery solution?
Defend your organization with StoneFly DR365—an air-gapped, immutable backup and recovery appliance trusted by enterprises to ensure zero data loss even in the event of complex cyberattacks.
