Emails and photographs stolen from a personal email account of Kash Patel, the director of the FBI, circulated online on Friday, as hackers who claimed to be part of a group affiliated with Iranian intelligence took responsibility for the release.
The release of materials from before Patel's time as FBI chief appeared to be an effort to embarrass him as the war in Iran nears its first month. But there were questions about who had carried out the cyberattack and it remained unclear when the intrusion had taken place.
The files were posted on a website that included the name "Handala Team." Handala, a pro-Iranian hacktivist group, is associated with the country's Ministry of Intelligence and Security and is known for conducting "hack and leak" operations.
However, cybersecurity tools indicated that the website was being hosted by a computer server in Russia, which has a long history of hack-and-dump operations, including Democratic emails during the 2016 election. The site's domain was registered on March 19 by an entity that appeared to identify itself as the Kingdom of Tonga.
VirusTotal, which analyses websites for malicious code, flagged a risk that the website on which the files were posted could implant malware on the devices of people who visited it.
In a statement, an FBI spokesperson, Ben Williamson, noted that the State Department had offered a $10 million reward for information that would lead to identifying the Handala Hack Team out of Iran, "a group that has frequently targeted U.S. government officials."
While he acknowledged that Patel's personal emails had been compromised, he did not specify when the breach occurred.
"The FBI is aware of malicious actors targeting Director Patel's personal email information, and we have taken all necessary steps to mitigate potential risks associated with this activity," Williamson said. "The information in question is historical in nature and involves no government information."
A set of the files posted on the website appeared to contain more than 300 messages from a Gmail account used by Patel. The earliest was from February 2010 and the most recent was from February 2022. They were largely anodyne personal messages related to matters like hunting for an apartment or booking travel.
Most were from 2010 to 2014, when Patel, a federal public defender in Miami, applied for a job at the Justice Department's national security division, and moved to Washington. The messages include his job application materials and efforts by friends to introduce him to people in his new city. One email had photographs from what appeared to be a visit to Cuba in 2013.
There were indications that whoever hacked Patel was holding back additional materials: The main website had images of attachments to emails that do not appear to be in the initial release, like a version of his résumé from 2016. That version said he had received an award from the CIA whose details were classified.
The Iranians have long tried to hack prominent U.S. officials, seeking revenge for the 2020 killing of Gen. Qassem Soleimani, who led the powerful Quds Force of the Revolutionary Guard.
In September 2024, the FBI warned that hackers linked to the Guard were targeting current and former senior U.S. officials, journalists and others associated with U.S. political campaigns.
"The targets usually have some nexus to Iranian and Middle Eastern affairs," the bureau said in an advisory.
A former U.S. law enforcement official said Patel was among the victims.
That same month, the Justice Department indicted three Guard members who had been involved in the hacking since 2020. They used spear phishing and social engineering techniques to target and compromise victims' computers and accounts, according to prosecutors.
The release of materials from before Patel's time as FBI chief appeared to be an effort to embarrass him as the war in Iran nears its first month. But there were questions about who had carried out the cyberattack and it remained unclear when the intrusion had taken place.
The files were posted on a website that included the name "Handala Team." Handala, a pro-Iranian hacktivist group, is associated with the country's Ministry of Intelligence and Security and is known for conducting "hack and leak" operations.
However, cybersecurity tools indicated that the website was being hosted by a computer server in Russia, which has a long history of hack-and-dump operations, including Democratic emails during the 2016 election. The site's domain was registered on March 19 by an entity that appeared to identify itself as the Kingdom of Tonga.
VirusTotal, which analyses websites for malicious code, flagged a risk that the website on which the files were posted could implant malware on the devices of people who visited it.
In a statement, an FBI spokesperson, Ben Williamson, noted that the State Department had offered a $10 million reward for information that would lead to identifying the Handala Hack Team out of Iran, "a group that has frequently targeted U.S. government officials."
While he acknowledged that Patel's personal emails had been compromised, he did not specify when the breach occurred.
"The FBI is aware of malicious actors targeting Director Patel's personal email information, and we have taken all necessary steps to mitigate potential risks associated with this activity," Williamson said. "The information in question is historical in nature and involves no government information."
A set of the files posted on the website appeared to contain more than 300 messages from a Gmail account used by Patel. The earliest was from February 2010 and the most recent was from February 2022. They were largely anodyne personal messages related to matters like hunting for an apartment or booking travel.
Most were from 2010 to 2014, when Patel, a federal public defender in Miami, applied for a job at the Justice Department's national security division, and moved to Washington. The messages include his job application materials and efforts by friends to introduce him to people in his new city. One email had photographs from what appeared to be a visit to Cuba in 2013.
There were indications that whoever hacked Patel was holding back additional materials: The main website had images of attachments to emails that do not appear to be in the initial release, like a version of his résumé from 2016. That version said he had received an award from the CIA whose details were classified.
The Iranians have long tried to hack prominent U.S. officials, seeking revenge for the 2020 killing of Gen. Qassem Soleimani, who led the powerful Quds Force of the Revolutionary Guard.
In September 2024, the FBI warned that hackers linked to the Guard were targeting current and former senior U.S. officials, journalists and others associated with U.S. political campaigns.
"The targets usually have some nexus to Iranian and Middle Eastern affairs," the bureau said in an advisory.
A former U.S. law enforcement official said Patel was among the victims.
That same month, the Justice Department indicted three Guard members who had been involved in the hacking since 2020. They used spear phishing and social engineering techniques to target and compromise victims' computers and accounts, according to prosecutors.
