Iran’s Handala Hackers Dox 2,379 Marines Across the Persian Gulf

The Iran-linked Handala Hack Team published what it described as the names and phone numbers of 2,379 US Marines stationed in the Persian Gulf on April 28, hours after Marines in Bahrain began receiving WhatsApp messages threatening drone and missile strikes. The Wall Street Journal first reported the leak. US Central Command referred questions to the Naval Criminal Investigative Service while authenticity assessments continued. Check Point Research has tied the persona to an Iranian intelligence unit.

The breach is the most public escalation yet in a digital campaign tied to the US-Israeli war on Iran that opened in late February. Handala styles itself as a pro-Palestinian hacktivist outfit, but the US Department of Justice and multiple cybersecurity vendors attribute the group to Iran’s Ministry of Intelligence and Security. The Telegram message described the release as proof of the group’s intelligence superiority and called US base security an empty illusion. Service members in Bahrain reported identical WhatsApp threats a day earlier from what appeared to be a hijacked Bahraini business phone number.

Telegram Dump Lists 2,379 Names With Visible Data Gaps

The group posted the data to its public Telegram channel on Tuesday, April 28, with a message claiming the release was only a sample and that further publications could include tens of thousands more service members. Independent reporters who reviewed the file flagged a long list of integrity problems. Some rows contained incomplete phone numbers. Some name fields held what appeared to be military contract identifiers rather than names.

The group also claimed it holds home addresses, family information, base details, shopping habits, and nightly leisure routines for thousands of additional troops. Researchers at Bitdefender and Cybernews note those data points could have been assembled from breached commercial data brokers, social media profiles, and credential dumps rather than pulled from a single secure system. The point of a campaign like this is not to prove a particular intrusion but to put a name, a phone number, and a location in front of a Marine and a Marine’s family at the same time.

Reporters Found Incomplete Phone Numbers in the Sample

When reporters dialed two dozen numbers from the leaked sample, most reached automated voice messaging systems. In three cases, names left on voicemails matched names from the file. One person confirmed their identity but hung up after being told about the leak. Another said they could not answer questions and referred the reporter to the Navy’s public affairs office.

That verification sample is small, but the result fits a deliberate pattern. The group does not need every entry to be authentic. It needs enough authentic entries for a Marine reading the list to feel exposed and for a journalist verifying the leak to confirm at least some hits.

WhatsApp Threats Land at Naval Support Activity Bahrain

According to Stars and Stripes’ reporting from Bahrain, the threats arrived on Monday, April 27, sent through WhatsApp to service members stationed in Bahrain, which hosts US Naval Forces Central Command. Stars and Stripes reviewed identical messages received by two different service members. The texts came from what appeared to be a Bahraini cell number tied to a legitimate business on the island, indicating the number had been spoofed or hijacked.

The messages warned recipients that their identities were known to Iranian missile units and that they would be targeted by Shahed drones and Kheibar and Ghadeer missiles. Recipients were told to call their families and say their final goodbyes. The messages also referenced Iran’s claimed casualties at a primary school in Minab, in southern Iran’s Hormozgan province, struck in the early days of the conflict. Similar threats reached residents in Israel the same day, according to The Jerusalem Post. CENTCOM referred questions about the messages to NCIS. NCIS did not say how many people received them.

Check Point Ties Handala to the MOIS Persona Void Manticore

Check Point Research’s published analysis of the group assesses Handala Hack as one of three online personas operated by an Iranian threat actor it tracks as Void Manticore. The same cluster is known in other vendor frameworks as Red Sandstorm, Banished Kitten, and Cobalt Mystique. Check Point links the actor to Iran’s Ministry of Intelligence and Security and traces its operations as far back as 2022, when the Homeland Justice persona was used in destructive wiper attacks against Albanian government agencies.

The cluster typically gains initial access through compromised credentials or supply-chain footholds at IT service providers, then moves laterally using RDP and basic tunneling tools, and deploys destructive wipers alongside hack-and-leak releases. Recent Handala campaigns have routed traffic through Starlink IP ranges to bypass Iranian government internet blackouts. The cluster’s tactics have stayed consistent since 2022, which means strengthening defenses against credential theft and supply-chain footholds remains the most direct counter for would-be victims.

From Albania to Stryker to the FBI Director’s Inbox

Public Handala claims over the past four months include the following high-profile operations:

• A January 2026 takeover of public-address systems at roughly 20 Israeli kindergartens, triggering air-raid sirens and Arabic-language broadcasts in classrooms.
• A March 2026 cyberattack on US medical device maker Stryker, branded Operation Epic Fury, in which the group says it wiped more than 200,000 systems across 79 countries and exfiltrated 50 terabytes of data. Stryker confirmed severe, global disruption affecting all company laptops in a Securities and Exchange Commission filing.
• An April 2026 breach of FBI Director Kash Patel’s personal Gmail account, with the group publishing more than 300 emails from the inbox.
• The current April 28 release of personal data on 2,379 US Marines.

Justin Moore, a threat intelligence researcher at Palo Alto Networks’ Unit 42, described Handala to Wired earlier this year as a group that combined the noisy playbook of a hacktivist outfit with the destructive capabilities of a nation-state, calling it a primary cyber-retaliatory arm for the Iranian regime.

Navy Memo Already Warned Sailors of Operation Epic Fury

Two weeks before the Marines leak, then-Navy Secretary John Phelan issued an April 17 unclassified memo to Department of the Navy personnel warning of adversary cyber actors conducting a social engineering campaign against sailors, Marines, and their families. The Hill’s coverage of the unclassified memo reports it named Operation Epic Fury as the catalyst and called on personnel to lock down social media accounts, switch on multi-factor authentication, and ask family members to scrub identifying images and information from public posts.

Phelan asked sailors to turn off Bluetooth and Wi-Fi when not in use, avoid public Wi-Fi, treat dating apps that request personal information with caution, and set social profiles to the highest privacy setting. The memo went out before Phelan was abruptly removed from his post on April 22 by Defense Secretary Pete Hegseth, in a dispute reported to involve shipbuilding strategy and an unrelated First Amendment ruling. The Navy guidance acknowledges, in effect, that personal devices are now part of the attack surface for force protection.

Fifth Fleet’s 2.5 Million Square Miles Multiplies the Risk

The Persian Gulf is not an ordinary posting. The US 5th Fleet, operationally run through US Naval Forces Central Command at Naval Support Activity Bahrain, covers about 2.5 million square miles of water across 21 countries, including the Arabian Gulf, the Red Sea, the Gulf of Oman, the Gulf of Aden, the Arabian Sea, and parts of the Indian Ocean. Its area encompasses three of the world’s most heavily monitored maritime chokepoints: the Strait of Hormuz, the Suez Canal, and Bab el-Mandeb.

CENTCOM’s wider area of responsibility spans more than 4 million square miles and roughly 560 million people. About 1.34 million active-duty US service members were on the books as of December 2025, according to USAFacts, and a significant share rotate through CENTCOM postings. In a region where Iranian forces have already seized commercial vessels and the US Navy has imposed a blockade on Iranian ports, a phone number paired with a duty station and a deployment pattern is operationally sensitive information.

FBI, IBM, and Verizon Reports Frame the Wider Stakes

Iran-linked operations are running on top of a global cyber baseline that is already breaking records.

The FBI’s 2025 Internet Crime Report announcement placed total cyber-enabled crime losses at nearly $21 billion, with cryptocurrency and artificial intelligence-related complaints among the costliest categories. IBM’s 2025 Cost of a Data Breach Report, conducted by the Ponemon Institute, found the global average breach cost fell 9 percent to $4.44 million, the first decline in five years, while the US average climbed to a record $10.22 million. Verizon’s 2025 Data Breach Investigations Report found third-party involvement in confirmed breaches doubled to 30 percent of cases, a shift driven largely by supply-chain compromises and service-provider intrusions.

Iranian operators sit inside this trend rather than outside it. Check Point researchers have documented Void Manticore deploying commodity infostealers purchased on criminal forums, such as Rhadamanthys, alongside custom wipers in phishing campaigns. That pairing complicates attribution and pulls criminal tooling directly into state intelligence operations.

April CISA Advisory Connects to a Broader Iranian Pattern

On April 7, CISA, the FBI, the NSA, and the Department of Energy issued a joint advisory warning that Iranian-affiliated advanced persistent threat actors were exploiting internet-exposed programmable logic controllers at US water, wastewater, energy, and local-government facilities. The agencies attributed operational disruption and financial loss to the activity and tied it to escalating hostilities with Iran. The advisory builds on a December 2023 alert against the IRGC-linked CyberAv3ngers persona, which compromised at least 75 Unitronics PLC devices across multiple US states.

Lee Sult, chief investigator at the cybersecurity firm Binalyze, gave Cybernews a blunt read on what the Marines leak means in that wider context after the data was published.

Even when ceasefires are declared and deals are made, groups like Handala should still be considered an active threat and a warfighting asset of the Iranian regime. They make a statement that they will target anyone and everyone perceived as an enemy of Iran.

Sult described Handala as objectively active, opportunistic, and growing in confidence, mixing destruction, leaks, intimidation, and psychological warfare. He argued that Iran’s conventional military reach is now constrained enough that cyber will remain its dominant retaliatory tool through any pause in fighting.

Personal Data Sits Inside the Force-Protection Perimeter

Handala’s stated intent is to make individual Marines and their relatives feel watched, whether or not the underlying records came from a current intrusion. That distinction matters less to a service member receiving a WhatsApp message naming their family than to a security researcher reviewing the leak afterward. Threat intelligence firms and the Navy memo converge on a similar list of responses for affected service members and their commands:

1. Identity-protection and credit-monitoring support for service members named in the leak and their families.
2. Audit of contact information held by personnel offices, base contractors, and supply-chain IT vendors.
3. Review of personal-device exposure across messaging apps, dating apps, social media, and dual-use phones.
4. Continuous monitoring of dark-web markets and Telegram channels for military-linked records being resold.
5. Sanctions, indictments, and infrastructure seizures targeting named MOIS operators and their commercial proxies.

The US Treasury Department sanctioned Yahya Hosseini Panjaki, the MOIS deputy intelligence minister tied by independent researchers to the Handala persona, in September 2024. According to Iran International reporting cited by BeyondTrust analysts, he was killed in a March 2026 Israeli strike on MOIS headquarters. His death has not visibly slowed Handala’s tempo, suggesting the operations are institutional rather than dependent on a single figure.

That is the harder lesson sitting under the April 28 dump. The Marines whose names appeared on a Telegram channel did not see classified materials leak. They saw a public statement that their families, schedules, and phone numbers are catalogued by a foreign intelligence service and can be published at any time. That is force protection, not data protection. The Pentagon’s response will need to treat scattered personal data, third-party data brokers, and commercial messaging apps as part of the same defensive perimeter as the bases themselves.