In December 2025, the Iranian-linked hacking group Handala claimed to have fully compromised the mobile devices of two prominent Israeli political figures.
However, detailed analysis by Kela cyber intelligence researchers revealed a more limited scope—the breaches targeted Telegram accounts specifically, not complete device access.
The group claimed to have breached former Prime Minister Naftali Bennett’s iPhone 13 during Operation Octopus, releasing contact lists, photos, videos, and approximately 1,900 chat conversations.
Shortly after, they claimed similar access to Tzachi Braverman’s device, the Israeli Chief of Staff. Despite these dramatic claims, the actual breach exposed critical gaps in account security rather than device-level compromise.
Kela analysts conducted forensic examination of the leaked materials and identified that most of the exposed conversations were empty contact cards automatically generated by Telegram during synchronization.
Only about 40 conversations contained actual messages, with even fewer showing substantial exchanges. All exposed contacts linked to active Telegram accounts, confirming the data originated from Telegram itself.
.webp "Handala Hackers Targeted Israeli Officials by Compromising Telegram Accounts 3")
Kela researchers and analysts noted that the incident highlighted serious vulnerabilities in session management and account security practices, even on encrypted messaging platforms.
Understanding the infection and account takeover mechanism reveals how Handala compromised these accounts without full device access.
The group likely employed multiple attack vectors including SIM swapping, where attackers assume control of the victim’s phone number to receive login verification codes.
They could also exploit SS7 protocol weaknesses in telecommunications infrastructure to intercept SMS messages at the network level. Additionally, Handala may have utilized sophisticated phishing campaigns that captured one-time passwords through fake login pages or malicious QR codes.
Session hijacking
Session hijacking represented another probable vector, where attackers copied the tdata folder from Telegram Desktop—the authentication file containing active session data that grants full account access when restored elsewhere, bypassing OTP and multi-factor authentication entirely.
The group’s operational approach also included harvesting OTP codes through multiple techniques: triggering verification via voice calls, extracting codes from voicemail by exploiting unchanged default PINs, or impersonating Telegram support to socially engineer staff into disclosing credentials.
.webp "Handala Hackers Targeted Israeli Officials by Compromising Telegram Accounts 4")
Telegram’s default settings significantly amplified these risks. The cloud password feature remains optional and disabled by default, meaning possession of an OTP alone provides complete account access.
Standard chats lack end-to-end encryption, storing data on Telegram servers as cloud chats rather than locally, expanding the attack surface considerably.
.webp "Handala Hackers Targeted Israeli Officials by Compromising Telegram Accounts 5")
Handala first emerged in December 2023, establishing presence across multiple cybercrime forums and operating various Telegram channels and social media accounts.
Their operations primarily targeted Israeli companies and organizations, consistently demonstrating support for Iran and Palestinian causes throughout their campaigns, indicating state-sponsored or state-sympathetic motivations.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
