Iran has publicly acknowledged for the first time that the commander of the Handala hacker group, one of the most aggressive cyber operations ever run against Israel, was killed in an Israeli strike during the opening hours of Operation Roaring Lion, confirming what Western intelligence agencies and cybersecurity researchers had long suspected: that the group posing as pro-Palestinian hacktivists was in fact a senior arm of Iranian state intelligence.
Yahya Hosseini Panjaki, commander of the Iranian hacker group Handala, was killed in a targeted strike during the recent war in Iran. On Wednesday, a Telegram channel affiliated with the Intelligence Organization of the Islamic Revolutionary Guard Corps publicly confirmed for the first time that Panjaki had led the group.
Israel's military had said it killed senior members of Iran's Intelligence Ministry, including Yahya Hamidi, the deputy minister of intelligence for Israel affairs, in the opening strike of Operation Roaring Lion. Iran International reported in 2024 that Yahya Hosseini Panjaki, alias Yahya Hamidi, served as a deputy for internal security and the official in charge of the Israel desk at the Intelligence Ministry, and was a main architect of operations targeting Islamic Republic opponents abroad.
He was killed on February 28, 2026, the first day of the war. He was responsible for directing operations related to Israel within the Ministry of Intelligence and played a central role in planning and executing actions against Israeli-linked targets, including activities targeting Jewish communities in Western countries as well as opponents of the Islamic Republic inside and outside Iran. He was considered part of a new generation of intelligence officials trusted by Supreme Leader Ali Khamenei.
The Group Behind the Hacks
The Iranian acknowledgment strips away the fiction that Handala was an independent hacktivist collective and confirms what multiple Western governments and cybersecurity firms had documented: the group was a state intelligence operation from the outset.
The U.S. Department of Justice described Handala as a fictitious identity used by the MOIS to hide its role in "influence operations and psychological scaremongering campaigns." Handala Hack Team represents one of several personas that MOIS operates to target Israel, Iranian opposition groups, and increasingly the United States, associated with MOIS's Counterterrorism Division and operating under Panjaki's direct supervision.
According to Check Point Research, Void Manticore overlaps with activity linked to the MOIS Internal Security Deputy, particularly its Counter-Terrorism Division, operating under the supervision of Panjaki. Handala has consistently targeted IT and service providers in an effort to obtain credentials, relying largely on compromised VPN accounts for initial access.
The group's operations inside Israel were extensive and deeply personal. In recent months, Handala was linked to the exposure of data allegedly obtained from the mobile phones of senior Israeli officials, including former Prime Minister Naftali Bennett, former IDF Chief of Staff Herzi Halevi, Netanyahu's former chief of staff Tzachi Braverman, and other senior figures. The group also claimed to have leaked emails from former Defense Minister Yoav Gallant, former Mossad head Tamir Pardo, and former Prime Ministers Ehud Barak and Benny Gantz, publishing photographs, private communications, contacts, and classified materials designed to embarrass targets and erode public confidence in Israel's leadership.
The group also claimed in November 2024 to have seized documents containing the names of hundreds of Mossad operatives following the killing of Hamas leader Yahya Sinwar, and in January 2025 targeted public address systems of at least 20 Israeli kindergartens, playing Arabic messages, anti-Israeli songs, and rocket sirens.
Wartime Escalation and the Stryker Attack
During the Iran war itself, Handala escalated significantly beyond Israeli targets. The group was responsible for a wiping attack through Microsoft Intune against Stryker Corporation, a Michigan-based Fortune 500 medical technology company, described as the most significant wartime cyberattack on the United States.
Panjaki's death did not end Handala's operations. The group continued to function after his killing, demonstrating a degree of operational decentralization that made it resilient to leadership decapitation. Since the beginning of the war, Iran's MOIS has likely broadened the Handala brand further to encompass physical operations, with a newly created persona soliciting individuals to conduct targeted violent attacks, espionage, and sabotage against U.S. and Israeli personnel and facilities in exchange for financial reward.
With Panjaki killed and MOIS leadership appointments now blocked by the IRGC, the organizational line of civilian accountability that ran from Handala's operators upward through the intelligence ministry has been severed or subordinated, raising concerns that the group's next phase could be more dangerous rather than less.
