Jewish Onliner is an independent publication. If you find our work valuable, please consider becoming a paid subscriber.

Join us on WhatsApp!

Subscribe to our Telegram channel!

Handala, an Iran-linked “hacktivist collective” tied by researchers and U.S. officials to Tehran’s intelligence apparatus, is claiming it obtained personal details of 69 Israeli naval personnel allegedly involved in intercepting the Gaza-bound Global Sumud Flotilla. But the group’s own framing raises immediate credibility questions: the people it presented as Shayetet 13 naval commandos appear to include women and middle-aged men, a profile that is inconsistent with a current roster of combatants in Israel’s elite naval commando unit.

The episode matters less because the alleged list has been authenticated, it has not, and more because it fits Handala’s documented pattern of turning alleged hacks, partial leaks, misattribution, doxxing, and bounty language into psychological warfare aimed at Israelis, dissidents, journalists, and Jewish communities.

Why the Shayetet 13 Claim Looks Suspect

The alleged Shayetet 13 framing appears shaky on its face. The IDF describes Shayetet 13 as an elite marine commando unit, yet the alleged list reportedly included women, older men, former personnel, and people tied to non-commando naval roles. The Jerusalem Post reported that many of those named appeared to have no link to the unit, while the IDF has previously said Shayetet 13 remains closed to women as combatants. That makes Handala’s list look less like an authenticated roster of naval commandos and more like an unverified, apparently misattributed doxxing package.

The Flotilla Claim

The latest claim centers on Israel’s interception of the Global Sumud Flotilla, a convoy that had departed from southern Turkey in another attempt to challenge Israel’s naval blockade of Gaza. Reuters reported that all 50 boats were intercepted and that more than 400 participants from over 40 countries were detained; Israel’s Foreign Ministry said the activists were transferred to Israeli vessels and would be allowed consular access.

Share

Handala then claimed it had obtained information on 69 Israeli Navy officers it said participated in the operation. In a statement circulated online, the group allegedly offered a $100,000 bounty for each officer and warned Israeli officials that actions “on land or at sea” would not go unanswered.

The RedWanted Escalation

The $100,000 bounty claim did not appear in a vacuum. Handala’s RedWanted campaign was a serialized intimidation program that paired doxxing with threats and financial rewards. Archived examples include reward language that moved from $10,000 to $30,000 and then to $50,000 in posts targeting alleged Israeli military, intelligence, and defense-sector figures.

Iran International previously reported that Handala offered $30,000 for information related to Israel’s military sector after releasing material it said identified people involved in designing Arrow and David’s Sling missile-defense systems. The outlet noted that Israeli media had not confirmed whether the information released by the group was accurate.

A State-Linked Entity, not a Conventional Hacktivist Crew

Handala presents itself in pro-Palestinian terms, but multiple public assessments describe it as part of a broader Iranian cyber and influence ecosystem. Check Point Research says Handala (officially “Handala Hack”) is operated by Void Manticore, also known as Red Sandstorm and Banished Kitten, which is affiliated with Iran’s Ministry of Intelligence and Security (MOIS). Check Point says the group combines destructive wiping attacks with hack-and-leak operations.

The Justice Department went further in March 2026, announcing the seizure of four domains it said facilitated MOIS hacking efforts tied to psychological operations and transnational repression. The DOJ said seized domains were used to claim responsibility for hacks, post stolen sensitive data, and call for the killing of journalists, regime dissidents, and Israeli persons.

That description matches the assessment in the uploaded Handala dossier: the group is better understood as a public-facing brand for cyber-enabled intimidation, data leaks, and psychological operations than as a conventional freelance “hacktivist” operation.

Outpost24 similarly assessed that Handala’s operations focus on disruption and psychological impact rather than financial gain, and that the group pairs technical activity with public statements, leak claims, and online messaging to extend pressure beyond the initial compromise.

Built to Survive Takedowns

Handala’s persistence is not accidental. The group’s public operation relies on a rotating mix of websites, X accounts, Telegram channels, alternative services such as Session, and preservation by leak-tracking mirrors.

RansomLook currently tracks 177 all-time Handala official posts and lists two of four monitored URLs as up, underscoring that the group’s web presence has redundancy even when individual endpoints disappear.

That architecture helps explain why law-enforcement action has disrupted but not eliminated the brand. Reuters reported that Handala’s website returned a day after the FBI and Justice Department seized four associated domains. Ari Ben Am, an adjunct fellow at the Foundation for Defense of Democracies, told Reuters that Handala had already had “tens” of Telegram channels, X accounts, and domains taken down without being significantly slowed.

Potential Government Responses

Handala has become a distributed propaganda-and-leak architecture, not merely an account to suspend. Its latest claim shows how an Iran-linked cyber persona can attach an alleged data leak to a fast-moving security controversy, cast private individuals as military targets, and use bounty language to turn uncertainty itself into intimidation.

That means the response cannot stop at domain seizures or account takedowns. Israeli authorities can verify what, if anything, was actually breached, warn affected individuals, and publicly distinguish authenticated military information from material that appears misattributed or fabricated. U.S. authorities, meanwhile, can keep moving beyond infrastructure disruption toward sustained pressure on the people, aliases, hosting networks, and amplifiers that allow Handala to reappear after each takedown.