Top Highlights
- In December 2025, Handala claimed to fully compromise two Israeli officials’ devices, but analysis revealed they only accessed Telegram accounts, not entire devices.
- The breaches resulted in exposing limited data—mostly empty contact cards and a few actual chat messages—highlighting security gaps in account management, not device security.
- Handala employed methods like SIM swapping, SS7 protocol exploits, phishing, session hijacking, and social engineering to take over accounts without full device access.
- The incident underscores vulnerabilities in encrypted messaging platforms, especially regarding session management, default settings, and cloud-stored data, which can be exploited for targeted espionage.
Problem Explained
In December 2025, the Iranian-linked hacking group Handala claimed to have fully compromised the mobile devices of two prominent Israeli figures—former Prime Minister Naftali Bennett and Israeli Chief of Staff Tzachi Braverman. However, detailed investigations by Kela cyber intelligence researchers revealed that the breaches did not involve complete device access. Instead, Handala specifically targeted their Telegram accounts, extracting contact lists, photos, videos, and chat histories. The analysis showed that most of the leaked information consisted of empty contact cards and only a handful of meaningful messages. This gap between the dramatic claims and the actual findings pointed to vulnerabilities in account security rather than device hacking. Researchers found that the attackers likely used techniques such as SIM swapping, exploiting SS7 protocol weaknesses, phishing, and session hijacking—methods that allowed them to bypass encryption and multi-factor authentication without needing full device control.
Furthermore, the incident exposed significant flaws in how Telegram handles user security, especially since default settings and cloud-based data storage increase the risk of account breaches. Handala’s operations, which began in late 2023, focus heavily on targeting Israeli institutions and publicly support Iran and Palestinian causes, hinting at possible state sponsorship or collaboration. The group’s ability to access accounts through various attack vectors underscores the importance of robust security practices, as even encrypted messaging platforms can be vulnerable when security measures are weak or misconfigured. This case highlights the evolving tactics of cybercriminal groups and the ongoing need for heightened vigilance among political figures and organizations.
Potential Risks
The recent issue where Handala Hackers targeted Israeli officials by compromising their Telegram accounts illustrates how similar cyberattacks could threaten any business. If hackers gain access to your communication channels, they can steal sensitive information, disrupt your operations, and damage your reputation. Moreover, such breaches can lead to financial loss and legal liabilities. As these hackers often use social engineering tactics or malware, any company’s digital security can be vulnerable without proper safeguards. Consequently, your business might face operational chaos, customer trust erosion, or regulatory penalties. Therefore, it is crucial to implement strong cybersecurity measures, monitor accounts continuously, and train staff to recognize threats—since, in today’s digital landscape, no business is entirely safe from these evolving cyber threats.
Possible Action Plan
In the rapidly evolving landscape of cybersecurity threats, swift and effective remediation is critical to minimizing damage and restoring trust, especially in incidents targeting high-value individuals or sensitive communications. When hackers, such as the Handala Hackers, compromise Telegram accounts of Israeli officials, the urgency lies in preventing further malicious activity, protecting sensitive information, and safeguarding national security interests.
Containment Measures
Immediately suspend or disable compromised Telegram accounts to prevent further dissemination of malicious content or information leaks.
Incident Assessment
Conduct a thorough investigation to understand the scope and nature of the compromise, identifying any additional affected accounts or systems.
Password Management
Reset passwords and enforce multi-factor authentication (MFA) on all affected accounts to prevent unauthorized access.
Communication
Notify affected officials and relevant stakeholders about the breach, emphasizing caution in communication and advising on mitigating strategies.
Coordination Efforts
Collaborate with Telegram support and cybersecurity authorities to analyze the breach and seek assistance in securing accounts.
Monitoring
Implement enhanced monitoring of related accounts and communication channels for suspicious activity to detect later attempts or related breaches.
User Education
Educate officials on recognizing phishing attempts and best practices for securing messaging accounts to prevent future compromises.
Long-term Strategies
Review and strengthen security protocols, including regular account audits, access controls, and endpoint security measures.
Continue Your Cyber Journey
Stay informed on the latest Threat Intelligence and Cyberattacks.
Learn more about global cybersecurity standards through the NIST Cybersecurity Framework.
Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.
Cyberattacks-V1cyberattack-v1-multisource
