In December 2025, the Iran-linked hacking group known as Handala escalated its influence operations against Israel’s political establishment by publishing material it claimed was pulled from the fully “compromised” mobile devices of two high-profile officials.
A technical review by threat intelligence firm KELA, however, indicates the intrusions were far narrower in scope centered on unauthorized access to Telegram accounts rather than whole device takeover.
The first alleged breach, branded by Handala as “Operation Octopus,” targeted former Israeli Prime Minister Naftali Bennett.
The group claimed it had hacked Bennett’s iPhone 13 and released contact lists, photos, videos, and roughly 1,900 chat conversations.
The leak appeared designed to maximize political and psychological impact: exposed contacts reportedly included senior Israeli officials, journalists, and business executives.
Bennett initially denied that his device had been compromised, but later acknowledged unauthorized access to his Telegram account while maintaining that his phone itself remained secure.
Soon afterward, Handala claimed it had also breached the iPhone belonging to Tzachi Braverman, Chief of Staff to Prime Minister Benjamin Netanyahu.
In statements accompanying the leak, the group alleged it possessed encrypted communications, financial records, and evidence tied to corruption threatening additional disclosures framed around alleged political scandals.
According to KELA’s data lake, Handala posted approximately 140 posts across platforms including BreachForums, Ramp, and Exploit during this period.
The data Handala published included contact lists for senior officials, videos from public events, and unclassified documents. Israel’s Prime Minister’s Office publicly denied the breach.
Handala Telegram Hack
KELA’s analysis of the released dataset challenges the group’s headline claims. Investigators found that the supposed “chat conversations” were largely composed of empty contact cards automatically generated by Telegram when an account synchronizes contacts.
Out of the approximately 1,900 purported chats, only around 40 contained actual messages, and fewer still showed meaningful exchanges.
The group’s sites ran on WordPress and, at times, left administrative login pages exposed, revealing a primary user account, “vie6c”, responsible for operating the site.
Critically, the contacts in the dump were linked to active Telegram accounts, supporting KELA’s assessment that the source of the data was Telegram account access rather than deep forensic extraction from the underlying devices.
The episode reinforces a key reality of modern political targeting: messaging accounts can be hijacked through multiple pathways that do not require “hacking the phone.”
Common vectors include SIM swapping and SMS interception, multi-step social engineering to capture one-time passcodes (including voicemail-based OTP recovery), and phishing via fake Telegram login pages or malicious QR code flows that can instantly authorize a new session.
Implications
Telegram’s optional “cloud password” (its additional password layer) also remains a weak point when not enabled or when attackers can steal it via phishing, keylogging, or password reuse.
KELA further assessed that session hijacking remains a practical route for capable actors. Telegram Desktop session material stored in the “tdata” folder can grant full account access if copied from a compromised workstation or from cloud-synced backups.
While Handala has historically deployed infostealers and destructive malware through phishing campaigns impersonating trusted vendors, the latest leaks suggest account-level compromise may deliver sufficient impact without a full-device intrusion.
Handala first emerged publicly in late 2023 and has maintained a persistent presence across cybercrime forums and social platforms, repeatedly resurfacing after account takedowns.
Open-source reporting and OSINT research have linked the group to Iran’s broader cyber ecosystem, where affiliated “leak brands” are used to amplify coercion and narrative warfare even when technical access is limited.
For officials and organizations, the incident is a reminder that “secure” apps are only as strong as their session controls.
Enabling Telegram’s cloud password, tightening SIM security with carriers, auditing active sessions, and isolating messaging from cloud backups can reduce the risk of account compromise especially for high-value targets facing sustained spear-phishing and influence operations.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.