On March 1, 2026, an email arrived in the inboxes of Iranian dissidents and journalists living in the United States. The subject line read: “Death to [redacted victim names].” The body of the email didn’t mince words.
“We the Handala Hack team, the loyal followers of the supreme leader Ali Hosseini Khamenei, declare war on all the enemies of Islam in the West,” it read. “Our partners, the CJNG [Jalisco New Generation Cartel] cartel in America and Canada have been given a list of our enemies.” The email claimed that CJNG operatives had already been provided with victims’ home addresses — addresses obtained through hacking — and offered a bounty: “$250,000 for the operatives who kills and beheads both of you.”
This was not a ransomware note. This was a state intelligence agency outsourcing assassination contracts to one of the world’s most violent drug cartels.
The Department of Justice announced this week the seizure of four domains directly tied to Iran’s Ministry of Intelligence and Security (MOIS) and the Handala Hack operation. Those domains are now offline. The operation behind them is not.
What Was Seized
The FBI and DOJ dismantled four domains that served as the operational infrastructure for Iranian state-directed cyber and psychological operations:
- Justicehomeland[.]org
- Handala-Hack[.]to
- Karmabelow80[.]org
- Handala-Redwanted[.]to
These weren’t passive websites. They were active command-and-control surfaces for a multi-layered operation: claim credit for destructive cyberattacks, post stolen personal data to maximize psychological damage, incite third parties to commit real-world violence, and propagandize against the United States, Israel, and Iranian dissidents abroad.
The four domains were linked through a combination of shared leak site infrastructure, Iranian IP ranges, and what investigators describe as a common “faketivist” operational playbook — the practice of Iranian intelligence services dressing up state-directed operations as independent hacktivist movements.
The Handala Hack Timeline
The weeks leading up to the seizure illustrated the breadth of Handala’s operations. In a roughly two-week window in March 2026:
March 11, 2026: Handala claimed credit for a destructive malware attack against a US-based multinational medical technologies company. The group framed it as retaliation for “ongoing cyber assaults against the infrastructure of the Axis of Resistance.” Attacking medical technology infrastructure isn’t cyber activism — it’s sabotage with potential patient safety consequences.
March 9, 2026: Handala posted the names and personally identifiable information of approximately 190 individuals associated with the Israel Defense Forces and Israeli government. The accompanying message was explicit: “their residences were known, consequences would soon follow.”
March 6, 2026: Two separate operations on the same day. In the first, Handala posted names and data of IDF members with a message that combined surveillance boasts with direct incitement: “Your iPhone 12 Pro Max holds no security for us; we even know your exact location…” followed by a call for the “Axis of Resistance” to “respond to these Zionist pigs yourselves.” In the second, the group claimed to have stolen 851 gigabytes of data from the Sanzer Hasidic Jewish community, posting: “No place is safe for you.”
The pattern across all of these operations is consistent: steal data, weaponize it publicly, direct others to act on it violently. The group doesn’t need to pull the trigger. That’s the point.
The MOIS Connection
Handala Hack and the Justicehomeland entity aren’t independent hacker collectives. They are operational fronts for Iran’s Ministry of Intelligence and Security — one of the most active and aggressive foreign intelligence services targeting Western nations, dissidents, and US infrastructure.
The Justicehomeland and Karmabelow80 domains have a documented history predating the 2026 operations. In July and September of 2022, the same infrastructure was used to claim responsibility for stealing sensitive government documents from Albania — an operation motivated by Albania’s decision to host MEK (Mujahedeen e-Khalq), an Iranian opposition organization that Tehran considers an existential threat. Albania subsequently expelled Iranian diplomats over the attacks.
The MOIS playbook has been consistent across years: use proxy personas to maintain deniability, target diaspora communities and dissidents who are most vulnerable to intimidation, and blend genuine cyberattacks with psychological operations designed to create fear that outlasts any individual data breach.
Iran Meets the Cartel: The Most Alarming Detail
The CJNG partnership — if accurate as alleged — represents a significant escalation in tactics that deserves to be stated clearly: Iran’s intelligence service appears to have solicited a Mexican drug cartel to physically murder Iranian dissidents living in the United States.
This is not the first time Iranian intelligence has been linked to potential physical operations on US soil. The DOJ has previously charged Iranian operatives with plotting assassinations of US officials and dissidents. But the alleged use of CJNG — a cartel with documented operational presence in American cities, a demonstrated willingness to conduct contract violence, and networks that are significantly harder for US counterintelligence to penetrate than traditional state intelligence channels — represents a tactical evolution.
The email sent from Handala_Team@outlook[.]com (since seized) was sent to multiple targets. These were not vague threats. They claimed to have specific home addresses, obtained through hacking, and attached a specific dollar amount to the life of each named individual.
The FBI Baltimore Field Office, the US Attorney’s Office for the District of Maryland, and the DOJ’s National Security Division are jointly handling the investigation and prosecution. The inter-agency involvement signals how seriously the government is treating what is, at its core, a state-directed assassination solicitation.
Rewards for Justice: $10 Million
The US government’s Rewards for Justice program is offering up to $10 million for information on foreign government-directed hackers who have targeted US critical infrastructure — a category that plainly includes a destructive attack on a medical technology firm.
Tip line contact information:
- Tor-based: he5dybnt7sr6cm32xt77pazmtm65flqy6irivtfluqfc5ep7eiodiad.onion
- Phone: +1-202-702-7843
- X/Twitter: @RFJ_USA
The program accepts tips via Signal and Tor specifically to protect sources who may themselves be at risk of Iranian retaliation.
The Statements From Leadership
Attorney General Pamela Bondi was direct: “Terrorist propaganda online can incite real-world violence — thanks to our National Security Division and the U.S. Attorney’s Office for the District of Maryland, this network of Iranian-backed sites will no longer broadcast anti-American hate.”
FBI Director Kash Patel: “Iran thought they could hide behind fake websites and keyboard threats to terrorize Americans and silence dissidents. We took down four of their operation’s pillars and we’re not done.”
Assistant Attorney General John Eisenberg framed it in the broader context of Iran’s global terrorism sponsorship: “Iran, the leading state sponsor of terrorism worldwide, used the seized domains to dox and harass dissidents and journalists, incite violence against Jewish communities, and spread Tehran’s anti-American propaganda.”
The phrase “we’re not done” from the FBI Director is worth noting. The seizure of four domains disrupts infrastructure but does not neutralize the intelligence officers directing the operations, the operatives running the technical side, or Iran’s ability to stand up replacement infrastructure.
What This Means
Domain seizures are tactical wins. They disrupt operations, force adversaries to rebuild infrastructure, expose their methods, and send a deterrence signal. They are not strategic defeats. MOIS was operating this playbook in 2022. It is still operating it in 2026.
For organizations in sectors that Iran has historically targeted — defense contractors, government agencies, Jewish community organizations, Iranian diaspora support groups, medical and critical infrastructure firms — the Handala operation is a reminder that the threat model includes not just network intrusion but targeted doxing designed to facilitate physical harm.
For dissidents, journalists, and activists who have fled Iran and are living in the US or allied nations: the threat is real, it has cartel-level enforcement behind it, and law enforcement is urging anyone who has received similar communications to contact the FBI immediately.
The DOJ announcement and full background on the seizure is available at the Department of Justice.
The four domains are seized. The operation continues.
