Iranian-linked hacking group Handala claimed responsibility in December 2025 for a significant cyberattack targeting two prominent Israeli political figures, gaining what they described as full mobile device compromise. However, a detailed analysis by Kela cyber intelligence researchers revealed a more targeted breach: the attackers compromised specific Telegram accounts rather than achieving complete control over the devices.
The group asserted that during “Operation Octopus,” they infiltrated the iPhone 13 of former Prime Minister Naftali Bennett, releasing data that included contact lists, photos, videos, and approximately 1,900 chat conversations. This was followed by a similar claim regarding the device of Tzachi Braverman, the Israeli Chief of Staff. Despite the severity of these accusations, the actual exposed data indicated significant vulnerabilities in account security that did not necessarily equate to a full device takeover.
Analysis of the Telegram Breach
Kela analysts conducted a forensic examination of the leaked materials and discovered that the majority of the purported chat conversations were merely empty contact cards generated automatically by Telegram during account synchronization. Only a small fraction, around 40 conversations, contained actual messages, and an even smaller subset featured substantial exchanges. All exposed contacts were linked to active Telegram accounts, confirming that the data originated directly from the Telegram platform itself.
The incident, as detailed by Kela researchers, highlighted critical weaknesses in the session management and account security practices employed on encrypted messaging platforms, even those considered secure like Telegram. Understanding the mechanisms behind this account takeover provides insight into Handala’s operational methods and their ability to compromise accounts without necessarily achieving full device access.
Handala’s Attack Vectors and Exploitation
It is believed that Handala employed a combination of sophisticated attack vectors. These likely included SIM swapping, a technique where attackers gain control of a victim’s phone number to intercept verification codes. Weaknesses in the SS7 protocol, a core component of telecommunications infrastructure, might also have been exploited to intercept SMS messages at the network level. Additionally, the group may have utilized advanced phishing campaigns to trick individuals into revealing one-time passwords (OTPs) through fraudulent login pages or malicious QR codes.
Session hijacking was another probable method. This involves attackers copying the “tdata” folder from Telegram Desktop. This folder contains active session data, essentially authentication files that grant full account access when restored on a different device, completely bypassing OTP and multi-factor authentication.
The group’s operational strategy also encompassed the harvesting of OTP codes through various means. This included triggering verification via voice calls, exploiting default and unchanged voicemail PINs to extract codes, or impersonating Telegram support personnel to socially engineer individuals into divulging their credentials.
Telegram’s Security Gaps and Handala’s Operandi
Several of Telegram’s default settings appear to have amplified these risks. The platform’s “cloud password” feature, designed to add an extra layer of security, remains optional and is disabled by default. This means that possession of a single OTP can be sufficient for complete account access. Furthermore, standard Telegram chats are not end-to-end encrypted by default. Instead, data is stored on Telegram’s servers as cloud chats, significantly expanding the potential attack surface compared to locally stored encrypted messages.
Handala first surfaced in December 2023, quickly establishing a presence across various cybercrime forums and operating multiple Telegram channels and social media accounts. Their operations have predominantly targeted Israeli companies and organizations. Throughout their campaigns, Handala has consistently demonstrated support for Iran and Palestinian causes, suggesting potential state-sponsored or state-sympathetic motivations behind their cyber activities.
The ongoing evolution of cyber threats necessitates continuous vigilance and adaptation of security practices by both individuals and organizations. The Handala incident serves as a stark reminder of the persistent challenges in securing digital communications and the sophisticated tactics employed by malicious actors.