Sourced Exclusively from Public Record — DOJ Filings, OFAC Registers, FBI Notices, Court Documents, Threat Intelligence, and Open Journalism

Border Cyber Group

I. THE OPERATORS: NAMED, SANCTIONED, AND IN TWO CASES, DEAD

Principal 1: Seyed Yahya Hosseini Panjaki

The Architect

This is the most thoroughly documented figure in the entire Handala command structure, and the highest-value individual the operation has lost.

Yahya Hosseini Panjaki served as the Iranian Ministry of Intelligence and Security (MOIS) deputy intelligence minister for internal security affairs, where he oversaw the Iranian regime's efforts to assassinate Iranian dissidents abroad. Panjaki was linked to multiple MOIS-sponsored plots carried out in coordination with narcotics traffickers and terrorist groups, including Hizballah. Panjaki played a role in the attempted bombing of a gathering of Iranian dissidents in Paris, among other operations in Europe. U.S. Department of the Treasury

His documented identifiers from public sanctions records:

Seyed Yahya Hosseiny Panjaki, aka Seyed Yahya Hamidi, served as an MOIS officer heading the Directorate for Internal Security and Deputy Minister of Intelligence for Israel affairs. His Iranian Passport No: T56344199 (expiry: 30 March 2027) appears on the Australian Sanctions Consolidated List. Opensanctions

Yahya Hoseini Panjaki's Iranian National ID is 0320523659. He was sanctioned by the U.S. Treasury Department following Iran International's 2024 disclosure of his activities. Panjaki allegedly organized the cyberattack on Iran International as personal retaliation and was reportedly tasked with detaining Israeli operatives in Tehran during the attack period. Iranianthreatactors

Panjaki was born on January 23, 1975, in Karaj, Iran. He holds a PhD in Political Science from Azad University of Tabriz and has authored academic publications. In addition to his formal role at the MOIS, Panjaki reportedly founded the so-called "Martyr Soleimani" unit — named after former IRGC Quds Force commander Qassem Soleimani. This clandestine unit specializes in global sabotage operations carried out in coordination with the IRGC and the regime's network of proxy forces. NCRI

The FBI specifically documented his role in running criminal networks: The FBI pointed to Panjaki's oversight of the Naji Sharifi Zindashti criminal network, which was involved in targeting U.S.-based Iranian dissidents between December 2020 and March 2021. Panjaki is also identified as the superior of Iranian intelligence officer Reza Hamidi Ravari, who is likewise wanted for questioning by U.S. authorities. NCRI

Legal Status at time of death: Sanctioned by the US Treasury in September 2024. The EU and UK followed with their own sanctions. Panjaki was added to the FBI terrorism watch list. AnonHaven

Death: On 2 March 2026, Iran International reported that Israeli strikes on the MOIS headquarters eliminated Seyed Yahya Hosseini Panjaki, the MOIS deputy intelligence minister assessed to have led the Handala, Karma Below, and Homeland Justice personas. SecurityWeek confirmed that Seyed Yahya Hosseini Panjaki was killed in the opening phase of Israeli strikes on Iranian intelligence infrastructure in early March 2026. BeyondTrustShieldworkz

Principal 2: Mohammad Mehdi Farhadi Ramin

The Hacker

Mohammad Mehdi Farhadi Ramin was accused of stealing the identities of American citizens and accessing national security data. Farhadi had been wanted by US authorities since 2020 for his alleged involvement in malicious cyber activity dating back to at least 2013, including targeting companies, universities, US defense contractors, and nonprofits to access sensitive data. Authorities say he also stole credit card information and Social Security numbers belonging to US citizens to fund illicit activities, while marketing some of the stolen data on the black market. National Today

Ramin was first indicted on September 15, 2020, by a federal grand jury in Newark, New Jersey, for his alleged involvement in a massive, coordinated cyber intrusion campaign on behalf of the Iranian government. Ramin and a co-defendant reportedly vandalized websites with ideological messaging meant to project Iranian influence, including images of burning Israeli flags and threats that appeared to "signal the demise" of countries viewed as rivals to Iran, including the US, Israel and Saudi Arabia. National Today

US documents accuse him and another suspect of illegally accessing computer systems and stealing hundreds of terabytes of data, including information related to national security, foreign policy, civilian nuclear research, aerospace data and unpublished scientific studies. X

Death: Mohammad Mehdi Farhadi Ramin died in the city of Hamadan. Iran International confirmed the death through a review of state funeral announcements, and his funeral was held the following Monday. The IRGC cyberwarfare headquarters was also struck during the same period of operations. National TodayLawfare

Principal 3: Ali Bermoudeh

The FATA Liaison

Iran International later exposed Ali Bermoudeh — a close associate of Iran's cyber police (FATA) — as a key operator within the Handala structure. The channel published details about Bermoudeh's private life. FATA (Iran's Cyberspace Police) serves as a bridge between the uniformed security apparatus and the MOIS cyber operations, providing Handala with a parallel chain into Iran's law enforcement intelligence infrastructure. Bermoudeh's exposure by Iran International — one of Handala's own primary targets — represents a significant counterintelligence embarrassment for the operation. JISS

The Broader Command Chain

Public reporting — including research by Iranian journalist and researcher Nariman Gharib — has mapped the command chain with reasonable fidelity. Below Panjaki sit hands-on keyboard operatives: a small team running manual, RDP-heavy operations and managing the multi-persona structure across Handala, Karma, and Homeland Justice. The group is documented to purchase initial access and tools from underground criminal services. Shieldworkz

The unit's annual operating budget has been estimated at US$7.7 million per year, primarily invested in personnel, criminal access broker services, and infrastructure. Shieldworkz

This section draws entirely from publicly filed court documents and official DOJ press releases.

The Justice Department seized four domains as part of an ongoing effort to disrupt hacking and transnational repression schemes conducted by the MOIS. The seized domains — Justicehomeland[.]org, Handala-Hack[.]to, Karmabelow80[.]org, and Handala-Redwanted[.]to — were used by the MOIS to claim credit for hacking activity, post sensitive data stolen during such hacks, and call for the killing of journalists, regime dissidents, and Israeli persons. U.S. Department of Justice

The affidavit supporting the seizure warrant is part of the public court record, and it reveals the operational playbook in stark legal language:

The FBI's investigation revealed that the four seized domains were linked to each other through shared leak sites, Iranian IP ranges, and a common operational "playbook." That playbook includes: destructive and disruptive cyber-attacks; and "faketivist" psychological operations using data stolen via hacking. U.S. Department of Justice

The cartel-Iran nexus documented in federal filings: The CJNG reference carries weight beyond propaganda. On March 6, 2026, a US court convicted MOIS asset Asif Merchant of terrorism and murder for hire in a separate plot targeting American politicians. Iranian intelligence contracting cartel hitmen on US soil is not hypothetical but a documented prosecution. AnonHaven

The DOJ framing is unequivocal: The US Department of Justice described Handala as a fictitious identity used by the MOIS to hide its role in "influence operations and psychological scaremongering campaigns." Wikipedia

Senior DOJ language on record:

"Iran, the leading state sponsor of terrorism worldwide, used the seized domains to dox and harass dissidents and journalists, incite violence against Jewish communities, and spread Tehran's anti-American propaganda," said Assistant Attorney General for National Security John A. Eisenberg. U.S. Department of Justice

And from the FBI: "The Iranian regime exploits cyberspace to advance authoritarian objectives, suppress democratic institutions, and undermine our national and economic security," said FBI Baltimore Special Agent in Charge Jimmy Paul. U.S. Department of Justice

III. THE $10 MILLION REWARD AND ITS IMPLICATIONS

Following the hack of FBI Director Kash Patel's personal email, the Rewards for Justice Program offered up to $10 million in exchange for the identification of the Handala group. Wikipedia

The Rewards for Justice (RFJ) program, administered by the State Department's Diplomatic Security Service, is not issued casually. A $10M designation places Handala in the same tier as named al-Qaeda financiers and high-value narco-terrorism targets. It signals that the US government has exhausted its ability to reach these operators through traditional law enforcement channels — indictment without extradition — and is actively seeking human intelligence sources, whether inside Iran, inside the diaspora community, or inside the criminal underground that Handala uses for access brokering.

The specific structure of an RFJ payout matters: it can be paid in cryptocurrency, to an offshore account, or through a third country — deliberately designed to protect source identity. In a post-war Iranian landscape where the regime has been materially weakened and insider defection risk is elevated, this is not a trivial tool.

IV. GEOPOLITICAL NETWORK: PROXY CONNECTIONS AND REGIONAL POLITICAL ALIGNMENT

The Electronic Operations Room

Multiple Iranian state-aligned personas and collectives claimed responsibility for a range of disruptive operations, several of which are associated with the recently established "Electronic Operations Room" formed on February 28, 2026. A surge in hacktivist activity was observed, with some estimates of 60 individual groups active, including pro-Russian groups. Palo Alto Networks

This is significant: the Electronic Operations Room is a coordination layer above individual groups, indicating that Handala does not operate in isolation but as part of a deliberately orchestrated multi-actor campaign with central direction.

Regional Proxy Network Operating Alongside Handala

Other documented actors in the same operational ecosystem:

313 Team (Islamic Cyber Resistance in Iraq) is an active pro-Iranian hacktivist cell that claimed responsibility for targeting the Kuwait Armed Forces, Kuwait Ministry of Defense, and Kuwait Government websites. DieNet is a pro-Iran hacktivist group conducting DDoS attacks across the Middle East, claiming attacks against airports in Bahrain and Sharjah, Riyadh Bank, the Bank of Jordan, and an airport in the UAE. Palo Alto Networks

Lebanon and Hezbollah Nexus

Panjaki's personal role in coordinating with Hezbollah, as documented in his Treasury designation, establishes a direct operational bridge between Handala and Iran's most capable proxy. Panjaki was linked to multiple MOIS-sponsored plots carried out in coordination with narcotics traffickers and terrorist groups, including Hizballah. This is not a philosophical alignment — it is a documented operational relationship used for real-world violence. U.S. Department of the Treasury

Hamas Alignment

In December 2023, the group expressed support for Hamas after IRGC general Razi Mousavi was killed in an Israeli airstrike. Handala's emergence within two months of October 7th was not coincidental timing — the MOIS unit was effectively placed on a war footing within days of the Hamas attack, indicating prior positioning and planning. Wikipedia

Palestinian Influence Operation Infrastructure

The group's name itself is a deliberate appropriation: Handala is named after the character drawn by Palestinian cartoonist Naji al-Ali in 1969, which has since been used to symbolize Palestinian identity and resilience. The group uses Handala's image in its online propaganda and cyberattacks. This is not organic sympathy but calculated brand capture — using an established Palestinian cultural symbol to launder Iranian state interests as grassroots resistance. Wikipedia

V. MILITARY OPERATIONS AGAINST HANDALA INFRASTRUCTURE

Operation Roaring Lion / Operation Epic Fury — Cyber Domain Effects

The cyber domain played a supporting role in the initial kinetic strikes, with coordinated US-Israeli operations reportedly disrupting Iranian command, control, and sensor networks ahead of airstrikes. US Chairman of the Joint Chiefs of Staff Gen. Dan Caine stated that "coordinated space and cyber operations effectively disrupted communications and sensor networks" in Iran prior to the main kinetic strikes, with the explicit goal of leaving the adversary "disrupted, disoriented and confused." Wikipedia

Israeli intelligence operations targeting Iranian communications infrastructure extended beyond military networks: Israeli intelligence reportedly maintained long-term access to Tehran traffic camera networks and mobile-phone infrastructure, using the feeds to support targeting of senior Iranian leaders, including the strike that killed Khamenei. Wikipedia

IRGC Cyber HQ Strike

The Islamic Revolutionary Guard Corps cyberwarfare headquarters was struck in the opening phase of operations. This eliminates not just Handala's MOIS chain but also degrades the IRGC-parallel cyber apparatus — the one running APT33, APT35, Charming Kitten, and CyberAv3ngers — meaning the two parallel Iranian cyber bureaucracies both sustained leadership-level infrastructure losses simultaneously. Lawfare

Iranian Internet Blackout as Force Multiplier

Internet access in Iran has been blocked by the regime. Handala migrated to Starlink during Iran's January shutdown, but it is difficult to see how they could really ramp up destructive attacks against the West anytime soon. Lawfare

This blackout is actually a self-imposed constraint that cuts both ways: it was designed to suppress internal dissent communications, but it simultaneously degrades the operational capacity of regime cyber units who depend on Iranian internet infrastructure for their operational backbone.

FBI Domain Seizure — March 19, 2026

On March 19, the Federal Bureau of Investigation took down Handala's website, which was used to document its activities. A backup website and two others linked to Iran's cyber operations were also shut down. Handala's X account was also banned. The following day, Handala restored its website. Wikipedia

The 24-hour restoration time is operationally significant: it demonstrates pre-positioned backup infrastructure and domain resilience planning, but it also required Handala to burn pre-staged resources rather than hold them for future operations.

VI. CONFIRMED HIGH-VALUE INTELLIGENCE COLLECTION OPERATIONS

These are the operations that graduate beyond nuisance-level into genuine strategic intelligence damage — a category that should concern Western governments far beyond the wiper attacks.

Former IDF Chief of Staff Herzi Halevi: Handala said it extracted more than 19,000 confidential images and videos — including top-secret meetings, classified files, and photos showing Halevi in his home environment, with his family, and on trips. The group also released photos taken during Halevi's meetings with his counterparts in the Arab world, including a previously undisclosed visit to Qatar, and secret flights in business jets. The hacker group also said it "fully identified and archived" the clear, unblurred faces of hundreds of Israeli war criminal pilots, field commanders, and security operatives. Haaretz

Former Mossad Director Tamir Pardo: In late March 2026, Handala leaked personal correspondence and documents from former Mossad Director Tamir Pardo's Gmail inbox, exposing residential addresses, phone numbers, and travel patterns. Haaretz

Soreq Nuclear Research Center: Handala claimed a 197-gigabyte breach of the Soreq Nuclear Research Center. Israel's National Cyber Directorate assessed the claim as primarily psychological warfare. The uncertainty is itself damaging — Israel cannot publicly confirm or deny what was actually taken, which preserves Handala's psychological leverage regardless of the technical reality. Shieldworkz

Clalit Health Services: On February 25, the group said it hacked into Clalit Health Services and released medical information from over 10,000 patients. Clalit is Israel's largest healthcare fund — the breach represents both an intelligence collection and a civilian intimidation operation simultaneously. Wikipedia

Israeli Police Internal Databases: Handala claimed exfiltration of 2.1 TB of Israeli police data including personnel records, weapons inventories, and psychological profiles of officers. Shieldworkz

US Military Personnel — Active Targeting: US service members assigned to units in the Middle East received threatening messages from Handala via WhatsApp. The messages warned service members that they were under surveillance and threatened to target them with drones and missiles: "Your identities are fully known to our missile units, and every move you make is under our surveillance. Very soon, you will be targeted by our Shahed drones and Kheibar and Ghadeer missiles." Stars and Stripes

Lockheed Martin Engineers in Israel: Handala published the alleged personally identifiable information of 28 engineers working in Israel for the Maryland-based defense contractor Lockheed Martin, including both names and home addresses. The group claimed to have contacted these individuals directly, warning them they will be targeted with missile strikes if they do not leave Israel. FDD

VII. TECHNICAL FINGERPRINTS AND IOC SUMMARY (FROM PUBLIC THREAT INTEL)

The following are drawn from published research by Check Point, Unit 42, and Critical Start — all public record:

Infrastructure Fingerprints:

  • Historically egressed through commercial VPN segment 169.150.227.X for Israeli operations
  • Post-January 2026 Iran internet shutdown: shifted to Starlink IP ranges
  • Declining OPSEC: direct connections from Iranian IP address ranges now documented
  • Default Windows hostnames DESKTOP-XXXXXX and WIN-XXXXXX consistently appear on victim VPN authentication logs
  • Email infrastructure: Handala_Team@outlook[.]com documented in FBI affidavit as death-threat delivery account

Known Seized/Active Domains (defanged):

  • handala-hack[.]to (seized March 2026, restored within 24 hours)
  • handala-redwanted[.]to (seized March 2026)
  • justicehomeland[.]org (seized)
  • karmabelow80[.]org (seized)

Wiper Toolkit Components (from Check Point public research):

  • handala.exe — custom executable with MBR overwrite
  • BiBi Wiper (distinctive file extension signatures)
  • Cl Wiper using EldoS RawDisk driver calls
  • No-Justice: partition table manipulation wiper
  • Karma Shell: Base64-with-XOR web shell
  • PowerShell-based wiper distributed via GPO logon scripts
  • NSIS installer with batch script obfuscation and time-delay sandbox evasion
  • ListOpenedFileDrv_32.sys — Bring Your Own Vulnerable Driver (BYOVD) for EDR bypass
  • NetBird for traffic tunneling into victim networks
  • AI-assisted PowerShell scripts for automated wiping (newly documented)

C2 Infrastructure: Telegram-based command and control, combined with public leak sites for psychological effect delivery.

MITRE ATT&CK Mapping (key techniques):

  • T1078 — Valid Accounts (Entra ID compromise)
  • T1072 — Software Deployment Tools (Intune weaponization)
  • T1003.001 — LSASS credential dumping via comsvcs.dll
  • T1484 — Domain Policy Modification via GPO
  • T1071 — Telegram as C2

VIII. CURRENT OPERATIONAL STATUS AND THREAT TRAJECTORY

As of the date of this report, Handala is in a state of active disruption but not operational shutdown. The confirmed killing of Seyed Yahya Hosseini Panjaki — the MOIS official who oversaw the Void Manticore unit — represents a significant leadership disruption without precedent in this actor's history. However, several factors point to rapid reconstitution: Handala's immediate Telegram response to the FBI seizure announced new replacement infrastructure; the group continues to expand its target scope; and MOIS cyber units operate with institutional continuity beyond individual leadership. Shieldworkz

The Lawfare assessment is the most analytically honest framing available: In the short term at least, it looks like Iran's full hacking capability is being suppressed by deliberate military action. But it is difficult to see how they could really ramp up destructive attacks against the West anytime soon. Lawfare

The key contextual caveat: Despite the ceasefire between Israel and Iran following the twelve-day war in June 2025, Tehran continued to target Israeli interests through cyber operations, intelligence activity, and influence campaigns. A central component of this effort has been the use of hacker groups and cyber personas that present themselves as independent actors but in practice advance the interests of the Iranian regime. Ceasefires have not historically stopped Handala — only kinetic strikes on its leadership have demonstrably disrupted operations. JISS

The emerging threat vector — AI amplification: RRM Canada detected amplification of leaked information through multiple AI chatbots — ChatGPT, Gemini, Copilot, Claude, Grok, and DeepSeek. The chatbots provided citations that included links to unreliable or state-linked sources or repeated unverified accusations, further amplifying the reach and apparent credibility of Handala's stolen material. This represents a genuinely new force multiplier that no defensive framework has fully addressed. Global Affairs Canada

IX. ANALYTICAL CONCLUSIONS FOR THE RECORD

What the public record establishes, taken in aggregate:

1. This is a state assassination program with a cyber wing, not a cyber program with a political agenda. Panjaki's documented role — Hezbollah coordination, Paris bombing plot, CJNG cartel recruitment, Iranian dissident assassination networks — makes clear that Handala is the digital face of an apparatus that also kills people. The bounty offers to the cartel are consistent with Panjaki's established MO, not an escalation.

2. The kinetic strikes have done more to degrade Handala than any cybersecurity measure. The loss of Panjaki and Farhadi Ramin, combined with the IRGC cyber HQ strike, represents a decapitation event without precedent in Iranian cyber operations. The RFJ program suggests the US is now trying to capitalize on post-strike chaos to extract insider intelligence before the unit reconstitutes.

3. The Gmail problem is the most underreported threat. Multiple senior Israeli officials — including a former Mossad director — were compromised via their personal Gmail accounts, not classified systems. The intelligence collection value here rivals conventional espionage operations.

4. The BYOD wipe of personal devices is a legal and liability watershed. Stryker employees had personal data — including eSIMs — permanently destroyed by a foreign government using their employer's MDM system. This will drive litigation, regulatory action, and MDM policy reform across the enterprise sector regardless of the geopolitical outcome.

5. The $10M reward is a recruitment operation, not a bounty. The RFJ designation is designed to incentivize insider defection from the reconstituting unit, criminal access brokers who work with them, or diaspora sources with family connections to Hamadan and Karaj — the cities where these operators lived and died.

Jonathan Brown (A.A.Sc., B.Sc) writes about cybersecurity infrastructure, privacy systems, the politics of AI development and many other topics at bordercybergroup.com and aetheriumarcana.org. Border Cyber Group maintains a cybersecurity resource portal at borderelliptic.com . He works from a custom-built Linux platform (SableLinux) which is currently under development and fully documented at https://github.com/black-vajra/sablelinux.

If you would like to support our work, providing useful, well researched and detailed evaluations of current cybersecurity topics at no cost, feel free to buy us a coffee! https://bordercybergroup.com/#/portal/support