Pro-Iran hackers published more than 300 emails and photos Friday from what appears to be a personal email account for FBI director Kash Patel.
The hacking group, called Handala, indicated on its website that the leak was retaliation after the FBI and Justice Department seized several of its websites last week, accusing the group of “psychological operations” and saying it was a front for Iran’s Ministry of Intelligence and Security. The State Department offered a reward of up to $10 million for information on Iranian hackers threatening U.S. critical infrastructure.
Earlier this month, Handala took credit for the sole significant destructive cyberattack against an American company, medical tech supplier Stryker, since the war between the country, the U.S. and Israel began.
The Justice Department declined to comment. The FBI did not immediately respond to a request for comment. NBC News did not forensically verify all the emails were authentic.
The group published several photos of Patel on its website that do not appear to have previously been made public, according to an NBC News review through several reverse-image searches. The emails appear to have been sent from or to a personal Gmail account that is listed as belonging to Patel in at least one public government document. Gmail didn’t respond to a request for comment.
Handala posted on its Telegram channel Thursday that “The FBI shouldn’t have started a confrontation and conflict with us,” and said it would soon post evidence of “the biggest security breach of the past decade.” That Telegram channel has since been deleted. Telegram didn’t respond to a request for comment.
All of the emails predate Patel’s work with the Trump administration, and mƒetadata from the files indicate they were hacked before the war began. The emails Handala posted are curated and are arranged into folders last modified on May 21, 2025. Most of the emails are dated between 2010 and 2012, and the most recent is a plane ticket receipt from 2022.
Many of the emails are personal and involve correspondence among Patel’s family and photos of his children when they were young. Some are of Patel appearing to be on a trip to Cuba.
U.S. officials told Patel in late 2024 that he had been the target of an Iranian cyberattack before he agreed to lead the FBI, and that the hackers had sought his communications.
In the lead-up to the 2024 election, the FBI, Microsoft and Google each said that hackers working for Iran’s Islamic Revolutionary Guard Corps had tried to hack multiple political figures, including affiliates of Donald Trump and Joe Biden when he was running for re-election.
The hackers do not appear to have leaked files from Democrats. But a hacker persona calling itself “Robert” approached multiple news outlets, including NBC News, with stolen vetting documents for three of Trump’s top choices for vice president ahead of Election Day NBC News and several other news outlets declined to publish the files and did not see substantial new information in them.
The Robert persona told Reuters in 2025 that it planned to leak more emails it had stolen from Trump allies, though it’s not clear whether that materialized. A signal account previously used by the Robert persona did not respond to a request for comment from NBC News.
Handala often takes credit for hacking companies and then hosting some hacked files on its site. It has at times exaggerated its claims. Earlier this month, it claimed to have hacked Verifone, an Israeli telecom company, though a Verifone spokesperson told NBC News it had not experienced any attacks on or disruptions to its systems.
Alex Orleans, the head of threat intelligence at the cybersecurity company Sublime Security, told NBC News that Iran appears to have hacked Patel earlier and had strategically waited to release the files after having hacked Patel much earlier.
“Looks like something they had sitting around,” Orleans said. “Iranian actors sit on all kinds of odds and ends for a rainy day.”
“Given recent controversies surrounding Patel, I expect the Iranians would’ve chosen to release significantly more contemporary — and potentially embarrassing — content if they had a recently open line of access as opposed to something they had on the shelf,” he said.
Leave a Reply