Handala Hackers: Telegram Account Compromise of Israeli Officials

January 3, 2026 Faeem BLOGS 0

In December 2025, the Iranian-linked group Handala claimed dramatic breaches of Israeli officials’ mobile devices. However, forensic analysis shows the reality was narrower: Telegram account compromises, not full device takeovers.

What Actually Happened

  • Targets claimed:
    • Former Prime Minister Naftali Bennett (iPhone 13).
    • Israeli Chief of Staff Tzachi Braverman.
  • Data leaked: Contact lists, photos, videos, ~1,900 chat conversations.
  • Reality check (Kela analysis):
    • Most leaked “conversations” were empty contact cards auto-generated by Telegram sync.
    • Only ~40 chats contained real messages.
    • All contacts tied to active Telegram accounts → confirms breach was Telegram-level.

Likely Attack Vectors

  • SIM swapping: Hijacking phone numbers to intercept login codes.
  • SS7 exploitation: Intercepting SMS at telecom infrastructure level.
  • Phishing: Fake login pages or malicious QR codes to capture OTPs.
  • Session hijacking: Theft of Telegram Desktop’s tdata folder, which contains active session tokens.
  • OTP harvesting:
    • Voice call verifications.
    • Voicemail PIN exploitation.
    • Impersonating Telegram support for social engineering.

Why Telegram Was Vulnerable

  • Cloud password optional: Disabled by default → OTP alone grants full access.
  • Standard chats not end-to-end encrypted: Stored on Telegram servers, increasing exposure.
  • Session persistence: Stolen session files bypass MFA and OTP protections.

Implications

  • Operational risk: Attackers gained visibility into sensitive contacts and limited conversations.
  • Psychological impact: Public claims of “device compromise” amplified fear and propaganda value.
  • State-linked activity: Handala consistently aligns with Iranian and Palestinian causes, suggesting state sponsorship or sympathy.

Defensive Measures

  • For Telegram users:
    • Enable two-step verification (cloud password).
    • Regularly review active sessions in Telegram settings; terminate unknown ones.
    • Avoid storing sensitive data in standard cloud chats; use Secret Chats for E2E encryption.
    • Harden voicemail PINs and phone number recovery settings.
    • Be cautious of phishing pages and QR codes.
  • For organizations:
    • Train staff on SIM swap and OTP phishing risks.
    • Monitor for suspicious session hijacking attempts.
    • Encourage use of secure messaging alternatives for highly sensitive communications.

Takeaway

Handala’s campaign underscores how account-level compromises can be weaponized as full “device breach” propaganda. The incident highlights Telegram’s session management weaknesses and the importance of enabling stronger authentication and encryption features.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.