Justice Department Seizes Iranian Government-Linked Websites Used in Cyber Operations

The U.S. Department of Justice has announced the seizure of four websites identified as being utilized by Iran’s Ministry of Intelligence and Security (MOIS) for cyber-enabled psychological operations and transnational repression. This action is part of an ongoing effort to dismantle schemes targeting adversaries of the Iranian regime. The seized domains – Justicehomeland[.]org, Handala-Hack[.]to, Karmabelow80[.]org, and Handala-Redwanted[.]to – were allegedly used to claim responsibility for hacking activities, publish stolen sensitive data, and issue threats, including calls for violence against journalists, dissidents, and individuals of Israeli nationality.

According to information supporting the court-authorized seizure, the MOIS employed these platforms to conduct psychological operations by falsely taking credit for cyberattacks. For instance, the Handala-Hack[.]to domain was reportedly used to claim responsibility for a destructive malware attack against a U.S.-based multinational medical technologies firm in March 2026. These operations aimed to intimidate and silence critics of the Iranian government.

The FBI’s investigation revealed a connection between the four seized domains through shared leak sites, Iranian internet protocol (IP) addresses, and a common operational strategy. This strategy included engaging in destructive and disruptive cyberattacks, alongside psychological operations that leveraged data obtained through hacking.

The domains Handala-hack[.]to and Handala-redwanted[.]to were particularly active following a conflict between the U.S. and Iran that began in late February 2026. Court documents allege that these domains published personally identifiable information (PII) of targeted individuals. Handala-hack[.]to also claimed responsibility for various hacks. In one instance on March 11, 2026, it claimed an attack against a U.S. medical technology company, describing it as retaliation for perceived cyber assaults on the “Axis of Resistance.”

Furthermore, by March 9, 2026, Handala-redwanted[.]to had reportedly posted the names and sensitive PII of approximately 190 individuals associated with the Israeli Defense Force (IDF) and the Israeli government. These posts allegedly included threats, indicating the individuals were being monitored and that consequences were imminent. Similar postings of names and confidential data from IDF members, accompanied by explicit threats and location information, were also attributed to Handala-hack[.]to around March 6, 2026. On the same date, Handala-hack[.]to also claimed to have stolen extensive confidential data from members of the Sanzer Hasidic Jewish community, including purported documents related to financial cooperation and sensitive correspondences, accompanied by threats.

Beyond public postings, investigative findings indicated that the email account Handala_Team@outlook[.]com was used to send death threats to Iranian dissidents and journalists both within the United States and internationally. These communications reportedly offered bounties and solicited assistance from members of the Jalisco New Generation Cartel (CJNG) for acts of violence. An email example cited in the investigation, sent on or about March 1, 2026, to two victims in the U.S. and abroad, included subject lines like “Death to [redacted victim names]” and detailed threats of execution, specifying bounty offers and mentioning the alleged involvement of CJNG partners in certain U.S. states and foreign countries.

The Handala-hack[.]to domain was also reportedly part of a broader effort to harass and intimidate Iranian dissidents and journalists who had publicly criticized the Iranian government. Threat actors associated with the domain allegedly directed online threats to these individuals, aiming to embarrass, discredit, and suppress their voices. The use of these platforms was intended to amplify threats, pressure critics, discourage independent reporting, and foster fear within the Iranian diaspora critical of the regime.

The domains Justicehomeland[.]org and Karmabelow80[.]org were allegedly operated as official websites for a shell hacktivist group controlled by the MOIS. Court documents suggest that these domains were used by MOIS actors on July 15, 2022, and September 9, 2022, to claim responsibility for stealing sensitive documents from Albanian government organizations. This action was reportedly motivated by Albania’s support for Mujahedeen e-Khalq (MEK), an Iranian dissident group advocating for the overthrow of the Iranian government.

In connection with these enforcement actions, the Department of State’s Rewards for Justice program is offering a reward of up to $10 million for information concerning individuals acting under the direction of a foreign government who engage in certain malicious cyber activities against U.S. critical infrastructure, in violation of the Computer Fraud and Abuse Act.

The FBI Baltimore Field Office, in coordination with the FBI Cyber Division, conducted the investigation. The U.S. Attorney’s Office for the District of Maryland and the National Security Division’s National Security Cyber Section are prosecuting the case.

Article by Mel Anara, based upon information from the U.S. Attorney’s Office, District of Maryland

---