Iranian-Linked Hackers Leak Data on 2,379 U.S. Marines, Issue Threats
A cyberattack group with ties to Iran’s Ministry of Intelligence has escalated its campaign against the United States by leaking sensitive personal information on approximately 2,379 U.S. Marines stationed in the Persian Gulf region and making explicit death threats. The Handala Hack Team, operating under Iran’s Ministry of Intelligence and Security (MOIS), has become increasingly active since the U.S.-Iran conflict began in February 2026.
The Leaked Information and Threats
On its Telegram channel, Handala boasted about the data breach with an ominous message. The group claimed to have published “the full personal details of 2,379 U.S. Marines stationed in the Persian Gulf region,” describing the leak as “merely as a demonstration” of their capabilities.
The threat escalated further with explicit messaging about targeting military personnel. Handala stated it possessed detailed information including Marines’ family members, home addresses, military bases, shopping habits and nightly activities. The group added a sinister warning: “This exposure is just a minor warning. When zero hour arrives, Kheibar missiles and Shahed drones will rain down not only on those who participated in the crimes of Minab and Gaza, but on every invader who clings to the delusion of immunity.”
The reference to Kheibar missiles and Shahed drones—both weapons systems in Iran’s military arsenal—signals a coordinated threat combining cyber operations with conventional military capabilities.
Part of a Broader Campaign
Handala Hack Team is not new to making such threats. The group has been active since December 2023 and is confirmed by the Department of Justice to be linked to Iran’s Ministry of Intelligence and Security.
Since the U.S.-Iran conflict escalated, Handala has claimed responsibility for several high-profile cyberattacks. In March 2026, the group claimed credit for a destructive malware attack against medical device manufacturer Stryker, alleging the strike was retaliation for U.S. strikes that killed Iranian schoolchildren. The group claimed to have wiped over 200,000 systems and extracted 50 terabytes of critical data.
Beyond Stryker, Handala has targeted Israeli infrastructure including the country’s largest healthcare provider Clalit, posted personal details of FBI Director Kash Patel, and released information on Israeli defense force personnel with explicit threats of violence.
Psychological Operations and Intimidation
Security experts recognize Handala’s tactics as a form of psychological warfare. The group’s “playbook” includes destructive cyberattacks combined with what officials call “faketivist” psychological operations using stolen data, according to Department of Justice court documents.
The leaking of Marine personnel information—complete with family details and daily routines—goes beyond traditional espionage. It serves to intimidate military personnel, their families, and American public confidence in military security protocols. Handala’s messages consistently emphasize surveillance capabilities and knowledge of targets’ movements and locations as a form of psychological pressure.
Escalating Iranian Cyber Threat
U.S. intelligence agencies have warned that Iranian actors are conducting escalating cyber operations targeting critical American infrastructure. The threats extend beyond military personnel to water treatment facilities, power plants, and medical technology companies.
According to security researchers, what distinguishes recent Iranian cyberattacks is their focus on data destruction rather than financial extortion, alongside aggressive psychological warfare. Iran-linked threat actors have shown greater determination to damage or disable energy, water and other key sectors.
U.S. Response and Ongoing Disruption Efforts
In March 2026, the Department of Justice announced the seizure of four domains associated with Handala. However, the group quickly adapted, establishing new web presence within days of the domain seizures.
The FBI has offered a reward of up to $10 million for information leading to the identification of Handala group members. Despite these efforts, cybersecurity experts note that Handala and its MOIS operators are “no strangers to takedowns” and adapt quickly to disruption attempts.
According to the DOJ, the Handala-linked email account [email protected] has been used to send death threats to Iranian dissidents and journalists, offering bounties and soliciting Mexican cartel involvement in violent acts. The scope of Handala’s operations suggests a sophisticated intelligence-gathering apparatus with access to extensive personal data repositories.
What This Means for U.S. Military Personnel
For the nearly 2,379 Marines whose information was leaked, the exposure creates legitimate security concerns. Knowledge of family members’ identities, home addresses, and daily routines can be exploited not only by Handala itself but shared with other hostile actors or local proxies in the Middle East.
The Marines affected should consider enhanced personal security measures, including briefing family members on potential risks, monitoring financial and identity information, and reporting any suspicious contact to appropriate military and law enforcement authorities.
Looking Forward
The Handala Hack Team’s escalating threats and demonstrated access to sensitive U.S. military personnel data represent a significant national security concern. The group’s combination of operational cyber capabilities, psychological warfare tactics, and explicit military threats—backed by references to Iranian weapons systems—suggests a coordinated intelligence and military operation rather than simple hacktivism.
As the conflict continues to escalate, U.S. officials warn that Iranian cyberattacks targeting American infrastructure “have recently escalated, likely in response to hostilities between Iran and the United States and Israel”. The threats to Marines in the Persian Gulf may represent only the beginning of Iranian cyber retaliation efforts targeting U.S. military and civilian infrastructure.