Bibi Gate: Handala Hack Team — A Mask for Iranian Psychological Warfare

Download Abstract Since late 2023, the Handala Hack Team (HHT) has evolved into a sophisticated…

Abstract

Since late 2023, the Handala Hack Team (HHT) has evolved into a sophisticated tool of Iranian-aligned psychological warfare, blending hacking with targeted influence operations to pressure Israel’s political ecosystem. The alleged “Bibi Gate” hacking campaign, claims of access to data from the phone of Netanyahu’s chief of staff, Tzachi Braverman, illustrates the group’s emphasis on intimidation narratives and prolonged media engagement rather than verified technical disruption. Operating primarily against Israeli targets, HHT leverages leak campaigns, phishing, and propaganda to erode morale and project psychological dominance. Its activity has escalated around key symbolic dates and conflicts, culminating in the “Saturday Files” campaign and alleged hybrid actions suggesting a presence inside Israel. Indicators including language, messaging alignment, and proxy affiliations strongly link HHT to Iran’s broader influence ecosystem.

Looking ahead, experts anticipate a potential escalation toward critical infrastructure targeting amid ongoing cognitive warfare. The recommendations underscore the urgent need for hardened identity protections, rigorous personal-device security, enhanced detection of stealth access, and prepared legal and communications playbooks—highlighting that in modern conflict, the most consequential vulnerability is often not the technical compromise itself, but the narrative adversaries construct around it.

Since late 2023, the Handala Hack Team (HHT) has evolved into a calculated instrument of Iranian psychological warfare. The group systematically hacks, exposes, and threatens Israeli political officials, defense-sector personnel, and civilians, while also targeting companies and critical infrastructure, primarily in Israel. Over the past year (2025), HHT has increasingly shifted from conventional cyber intrusions to targeted influence campaigns designed to erode morale, generate public pressure and drama, and project reach far beyond cyberspace.

The Bibi Gate Hack

On December 28, 2025, Handala claimed on X that it had accessed data from Tzachi Braverman’s phone as part of the “Bibi Gate” operation; however, these claims remain unverified. This alleged breach is presented as part of a broader, ongoing campaign known as RedWanted or the “Saturday Files,” which has previously included claims of access to the personal communications of former Israeli Prime Minister Naftali Bennett, among other cases of personal leaks. Yigal Unna, ICT Fellow and former Head of the Israel National Cyber Directorate and former Head of the Cyber Division at the Israel Security Agency (ISA), highlights that the digital arena, commonly referred to as cyberspace, has become an integral part of the escalating conflict between Iran and Israel. Handala publications in recent days are “characterized mainly by psychological operations, publishing private, allegedly sensitive material from mobile devices belonging to current and former senior officials.”

Among the threats posted on Handala’s X account alongside the “Bibi Gate Hack” announcement were statements such as “every secret entrusted to Tzachi Braverman is now wide open” (referring to information the group allegedly obtained from his phone) and “we were always inside… we choose what you fear next.” According to ICT Fellow and cybersecurity expert, Oren Elimelech, “this is pure psychological dominance messaging, explicitly crafted to induce anxiety inside Netanyahu’s inner circle. It is not a technical report; it is psychological warfare by design. The objective of the group is not merely intrusion but control, leveraging fear, perception, and narrative to achieve impact. A leak of a phone book and correspondence about a person such as Braverman allows Iran to build a map of contacts: who talks to whom, how often, at what hours: this is also intelligence gold.”

Source: An AI-generated photo published by the Handala Hack Team on Saturday, December 27, 2025. The content of the post: “Flight BB Gate” rises above the clouds, encrypted currents stir quietly among the watchers and the watched. Layers of protection tighten as the journey unfolds, but sometimes, secrets take flight too—leaving trails only the most attentive can see. On this day, those who guard the skies may find that the unexpected travels with them, and not every hidden truth remains grounded. And Bibi, it seems you’re carrying some rather interesting souvenirs with you this time. Tik Tok…Tik Tok Sunday, December 28, 2025. 7:30 AM”

After the first announcement of the Bibi Gate Hack, threats continued to circulate on HHT social media channels. For example, the group posted: “What do you think—should we, right at the outset, release 110 pages of Braverman’s phone contacts for all to see? Would that be enough proof for you that the hack is real?” These types of posts are intended to prolong the campaign and attract greater attention from mainstream media (for example, Haaretz was tagged on this post on HHT’s X account).

Who is the Handala Hack Team (HHT)?

The Handala Hack Team (HHT) emerged following the events of October 7, 2023, and the subsequent war between Israel and Hamas. The name “Handala” derives from a character created in 1969 by political cartoonist Naji al-Ali, who later became a powerful symbol of Palestinian identity, resilience, and defiance. The cartoon has also become the group’s symbol and appears on its accounts across Handala’s Telegram channel, X account, Dark Web website, and other social media platforms.

Source: HHT cover page on X platform account

The group was first observed operating in December 2023, after publishing details of its hacks on its social media accounts. Between February 2024 and February 2025, HHT conducted at least 85 attacks, primarily against targets in Israel, with several incidents reported in the United States. Healthcare has been a frequently targeted sector, followed by information technology, electronics, education, and government and defense, which in recent months has become their primary focus. The group’s main modus operandi consists of DDoS attacks, data-leak operations, phishing attacks, and website defacement.

During the Iran–Israel War (June 13–24, 2025), HHT released a propaganda poster titled “12 Days of Cyber War,” presenting a narrative of ongoing cyber confrontation against Israel. The poster lists alleged “supporting cyber fronts” and “enemy groups,” framing the conflict as part of a broader cyber campaign. Its significance lies in the environment it reflects: the Handala Hack Team operates within an Iranian ecosystem of cyber and influence actors, where activities are designed not only for technical disruption but also for intimidation, messaging, and narrative warfare. The poster helps contextualize HHT as part of a state-aligned psychological warfare effort that blends cyber operations with strategic propaganda to project capability, create fear, and legitimize Iranian involvement in the cyber domain.

Source: HHT’s publication of attacks during the 12-day war between Israel and Iran, along with operations conducted by two other pro-Iranian hacking groups during that period.

On September 27, 2025, on the one-year anniversary of Hassan Nasrallah’s death, Handala claimed to have extracted 379 gigabytes of “sensitive information, including military, governmental, and security data” from Amos Spacecom Company. They also claimed to have in their possession “top-secret communications that, if disclosed, would severely jeopardize (Israeli) national security and disrupt vital defense operations.” As proof, the group released what they claimed to be “several thousand samples of the company’s orbital satellite communications.” The anniversary-style publication shows another connection between HHT and Iran and its proxies. This was further highlighted by a tribute released by Handala Hack Team on the one-year anniversary of Hezbollah Commander Reza Abbas Awada’s death, mentioning that “Handala owes much of what it is today to Reza.”  

HHT became especially active after the two-year anniversary (October 2025) of the October 7th massacre with an alleged attack on Israel’s fuel system and the release of what they refer to as a “statement of establishment” that was published in English, Hebrew, Arabic, and Spanish on their website, as well as a Farsi version on a Telegram channel associated with the group. The publication delineates their guiding principles, modus operandi, and their plans for the information they gather on Israeli individuals, especially in points 3 and 4. They are planning to release personal information on Israelis associated with the military and defense industries, for “informational, operational, and psychological exploitation.” Curiously, points 5, 6, and 7 point to a larger project that a hacking group doesn’t usually take on, such as preparing legal cases against Israelis, organizing transnational cooperation, and setting up marches and gatherings to demonstrate solidarity with the Palestinian cause; activities usually restricted to state actors or public organizations.

Source: Left: HHT statement of establishment screenshot from their website; Right: HHT claim of attack against Israel Delek system – screenshot from their website.

And indeed, shortly after they began what is known as the Handala RedWanted “Saturday Files” campaign. HHT established a weekly pattern of publishing personal details of Israelis connected to the military, defense industries, and occasionally the media. Every Saturday, the group released names, photos, contact details, and background information, often pairing these with threats, narrative framing, and escalating financial “rewards” for information, rising from $10,000 to $30,000. Over time, the campaign expanded from doxxing to symbolic intimidation claims, including alleged surveillance capabilities and purported physical presence inside Israel, while continuing to frame itself as a psychological pressure tool targeting Israel’s security establishment. The recent  Naftali Bennett hack and the “Bibi Gate Hack” are another example of this ongoing campaign. 

Source: Right: HHT website post referencing the RedWanted campaign declaration; Left: statement announcing the alleged hack of Naftali Bennett.

Conclusions 

The deliberate exposure of identities, combined with hostile messaging, is clearly intended to serve psychological warfare objectives, particularly emphasized by the campaign’s timing following the two-year anniversary of October 7 and the decision to release material every Saturday. According to Oren Elimelech, the group’s strength lies primarily in the “operational execution rather than advanced exploit capabilities.” He explains that Handala’s 2025 activity pattern is largely consistent with phishing and social engineering tactics used to gain access to sensitive information, operations that typically target accounts or personal devices, generate high-visibility headlines in Israel, and are subsequently leveraged for psychological impact.

This emphasis on publicity-driven disruption is not new in the cyber domain, particularly among actors prioritizing psychological warfare over physical damage to infrastructure. HHT clearly understands the value of media exposure and the platforms required to achieve it, maintaining multiple accounts on Telegram, X, Tox chat, Breach Forums, as well as a dedicated website. A comparable precedent exists in Iranian-affiliated hacking groups active mainly between 2020  and 2022, such as Moses Staff, which similarly leveraged targeted messaging and media amplification strategies to secure visibility in the Israeli news cycle.

Together, these elements reflect an increasingly evident reality over the past two years: the cyber battlefield is steadily expanding into the sphere of cognitive warfare. As Elimelech further asserts, leaks such as those associated with the “Bibi Gate Hack” are designed not merely to reveal information, but to intimidate, amplify narratives, and generate psychological effects far beyond the technical scope of the intrusion itself. This understanding becomes even more concerning given the group’s claims of extending its activities beyond cyberspace. The November 29, 2025 incident, wherein an HHT-affiliated actor allegedly placed a bouquet of roses in the vehicle of Dr. Isaac Gertz, alongside claims of access to airport surveillance systems, suggests an effort to project a sense of physical presence and operational reach within Israel. If verified, this would represent a significant escalation, transforming HHT from a purely digital threat into a hybrid psychological–physical actor with broader security implications.

While HHT presents itself as a pro-Palestinian hacktivist organization, indicators such as Farsi-language content on Telegram, affiliations with Iran and Hezbollah, and repeated symbolic tributes strongly suggest a link to Iran. They appear to operate within a broader, decentralized Iranian ecosystem that includes other pro-Iranian proxies. Their affiliation is further reflected in a consistent “pattern match” to Iran’s influence doctrine. As Elimelech notes, whether through direct sponsorship or strategic alignment, the rhythm follows a familiar sequence: steal content, leak, shame, intimidate, and repeat. The ritualized weekly leak pattern, embodied in the “Saturday Files,” reinforces that this is a sustained influence operation rather than a single opportunistic breach. This is precisely what makes HHT dangerous; they do not require nation-state–grade exploits to generate nation-state–level disruption.

Contextually, this activity should be viewed within the broader cyber confrontation between Israel and Iran. Yigal Unna further explains that the cyber battlefield intensified in April 2020, shortly after the assassination of Quds Force commander Qassem Soleimani and the outbreak of the COVID-19 crisis, when Iran attempted to damage Israel’s water and sewage infrastructure. Although the attack failed, it was soon followed by reports of a retaliatory cyber incident affecting the Bandar Abbas port in Iran. Since then, Unna notes, Iran has increasingly shifted from attempting large-scale technical disruption toward intelligence collection, recruitment, as well as ongoing psychological and influence operations, which now constitute the central effort.

He further explains that Iran’s offensive cyber capabilities are not considered highly advanced, though they continue to evolve. No evidence has emerged of true “Zero Day” capability, reportedly used in earlier campaigns against Iran itself. Instead, Iran’s advantage lies in the sheer number of “cyber soldiers” it deploys, its lack of operational restraints, and its sophisticated expertise in psychological manipulation, fueling existing fractures across Israeli society. Meanwhile, Iran itself remains vulnerable, as demonstrated periodically by disruptive cyber incidents such as the shutdown of fuel pumps attributed to the Predatory Sparrow group. As is customary globally, states avoid formally acknowledging responsibility for cyberattacks, instead attributing them to affiliated cybercrime or proxy groups, such as Handala, sympathetic to Iran, and Predatory Sparrow, aligned with opposition interests.

Against this backdrop, the current publications of allegedly sensitive material from senior Israeli officials are not the peak of this campaign; they are likely just the tip of the iceberg. Unna suggested that it is highly likely that future stages of this campaign, especially in the event of direct confrontation, will shift toward attempts to cause real, tangible harm to critical infrastructure. Ultimately, the outcome will rely heavily on defensive preparedness and resilience. In this regard, Israel maintains a demonstrated advantage, having developed robust national readiness and multilayered cyber defense capabilities comparable to its strategic missile defense framework.

Recommendations 

The lessons from HHT’s activity, as Oren Elimelech explains, are more practical rather than theoretical. First, Israeli government officials and senior ecosystem stakeholders must internalize that a “personal device” is not secondary or less critical than an official government system; in many cases, it is the primary operational vulnerability. For anyone operating within Israel’s strategic ecosystem—government, critical infrastructure, public companies, high-tech, and the defense supply chain—the priority must be to harden identity and access. This includes implementing phishing-resistant multi-factor authentication for executives and administrators, disabling legacy authentication mechanisms, and tightening account recovery processes. Communication security must also be reinforced by minimizing sensitive discussions on personal devices, strengthening mobile device management policies, and ensuring secure handling of backups and cloud synchronization.Simultaneously, Oren Elimelech suggests that organizations must enhance their ability to detect “quiet access,” including token abuse, abnormal OAuth consent activity, malicious mailbox rules, “impossible travel” authentication anomalies, and unusual iCloud, Google, or SSO recovery events. Finally, organizations must assume that exposure and narrative pressure are inevitable and prepare accordingly. Legal, communications, and incident response playbooks should be pre-built for leak and psychological-impact scenarios, not only for conventional ransomware or data breach incidents. As the Handala case demonstrates bluntly in 2025, the greatest vulnerability is often not the malware itself, but the story that an adversary can force an organization—and a nation—to live inside.