FBI Director Kash Patel’s personal email account was breached by an Iran-linked hacking group, according to statements from the FBI and reports from several news outlets.
The case drew attention because the attackers published personal files, photos, and other material online, while US officials said the compromised data did not include government information.
The group behind the breach, known as Handala Hack Team, said it accessed Patel’s personal account and posted some of the material on its website on Friday.
Meanwhile, the FBI said it had taken steps to reduce risk and described the accessed data as historical and unrelated to official government work.
Hackers publish personal files and make fresh threats
Handala used its website to announce the breach and posted what it said were files from Patel’s account, including a resume and a set of personal photographs. The group also issued a warning, writing, “This is just our beginning,” and questioned the security of US institutions by asking,
“If your director can be compromised this easily, what do you expect from your lower-level employees?”
The published images appeared to show Patel in private settings over several years. Media reports described photos of him near a vintage convertible, beside a jet, with cigars, and in hotel or restaurant settings.
News organizations said they had not fully verified every leaked document, though CNN reported that a source familiar with the matter confirmed the authenticity of at least some of the photos.
The hackers also described the incident as proof that the “so-called ‘impenetrable’ systems of the FBI were brought to their knees within hours.” That claim remains disputed.
Cybersecurity researcher Ron Fabela told CNN that the material appeared to come from a personal inbox and not from FBI systems. He said,
“This isn’t an FBI compromise — it’s someone’s personal junk drawer.”
That distinction became central to the early coverage of the case. While the attackers framed the event as a strike against the FBI, US officials and outside analysts said the known evidence pointed to a breach of Patel’s private communications rather than an intrusion into government networks.
FBI says no government information was exposed
The FBI confirmed that malicious actors had targeted Patel’s personal email information. In its statement, the bureau said it had taken all necessary steps to address possible risks tied to the breach. It also said the material involved was “historical in nature and involves no government information.”
That statement aimed to draw a clear line between Patel’s role as FBI director and the contents of the compromised account. Reports said the stolen emails appeared to date from around 2011 to 2022 and included personal, business, and travel correspondence.
Based on that timeline, early reviews suggested the exposed material came from years before Patel took over the FBI.
The case also raised renewed attention around earlier warnings involving Patel’s private communications. Reports said Iranian-backed hackers had accessed some of Patel’s communications in late 2024, shortly before he was appointed to lead the FBI.
It remains unclear whether that earlier incident was separate from the breach Handala claimed on Friday or connected to the same pool of compromised material.
US officials have also warned in recent weeks that Tehran-linked cyber groups could step up retaliatory activity after the US and Israel carried out strikes on Iran.
In that setting, the Patel breach added to existing concern over the use of cyber operations to pressure US officials and create public disruption, even when the stolen material is personal rather than classified.
Justice Department pressure and Handala’s response
The breach came only days after the US Justice Department moved against websites tied to Handala. Recently, the department announced the seizure of several domain names that it said the group had used in hacking campaigns and online influence activity linked to Iran’s Ministry of Intelligence and Security, or MOIS.
According to the department, the websites spread “terrorist propaganda,” supported attempted psychological operations, and claimed responsibility for cyberattacks while calling for violence against journalists and dissidents.
CBS News, the BBC’s US partner, reported that the domain used in the Patel case was registered on 19 March, the same day the Justice Department announced the seizure of four domains connected to the group.
Handala said its action against Patel was retaliation for those domain seizures and for the FBI’s public reward offer tied to related malicious activity. The FBI said it is offering up to $10 million for information that helps identify members of the Handala Hack Team.
That reward reflects the US government’s effort to link the group’s online activity to specific operators.
The public exchange between US agencies and the hackers turned the Patel breach into more than a case of personal data exposure. It became part of a wider confrontation between American authorities and cyber actors that officials say work on behalf of the Iranian state or align with its goals.
Link to earlier attacks and wider cyber activity
The Patel breach followed another recent incident that Handala claimed as its work. Earlier on March 12, the group said it had carried out a cyberattack against US medical technology company Stryker.
In that case, the company’s employee login page was defaced, and the group claimed it had erased data in a “wiper” attack.
Handala went further on its suspended X account and claimed it had wiped “over 200,000 systems, servers, and mobile devices” and extracted “50 terabytes of critical data” from Stryker. Those figures have not been independently verified.
The group said that attack was retaliation for what it called a “brutal attack” on an Iranian girls’ school and for cyberattacks against Iran and its allies.
US authorities have accused the group of working for Iran’s intelligence services, and the Justice Department has treated Handala as part of a broader state-linked cyber effort. Despite recent domain seizures, the group has continued to claim attacks and circulate propaganda material online.