Just one day after the FBI and Department of Justice (DOJ) seized four of its domains, the Iranian government-linked hacking group has re-established its online presence. This Iranian-linked hacking group that claimed responsibility for the March 11 cyberattack on US medical device giant Stryker. According to a news agency Reuters, Handala said in a post on Friday (March 20) on its website that the seizures were “desperate attempts by the United States and its allies to silence the voice of Handala.”
What the FBI and DOJ did to ‘Handala Hack Team’ website
On March 19, the Justice Department announced that it had seized four internet domains associated with the “Handala Hack Team” — the group that carried out cyberattack on Stryker, America’s largest medical device maker.“The Justice Department announced the seizure of four domains as part of an ongoing effort to disrupt hacking and transnational repression schemes conducted by the Islamic Republic of Iran’s Ministry of Intelligence and Security (MOIS). The affidavit supporting the seizure warrant can be found here. The seized domains – Justicehomeland[.Jorg, Handala-Hack[.Jto, Karmabelow80|.Jorg, and Handala-Redwanted[.Jto – were used by the MOIS in furtherance of attempted psychological operations targeting adversaries of the regime by claiming credit for hacking activity, posting sensitive data stolen during such hacks, and calling for the killing of journalists, regime dissidents and Israeli persons,” the official announcement reads.A partially redacted FBI affidavit filed in support of the seizure references a March 11, 2026 cyberattack on “a major American multinational medical technologies firm” and quotes the message Handala posted announcing the attack. A DOJ spokesperson told Reuters that the FBI affidavit “asserts that there is probable cause to believe that the operators of the ‘Handala’ persona are members of a conspiracy that carried out a destructive malware attack against a U.S.-based multinational medical technologies firm.”
Cybersecurity experts say return ‘not surprising’
For cybersecurity experts, Handala’s quick return was unsurprising. As per Ari Ben Am, an adjunct fellow at the Foundation for Defense of Democracies Center on Cyber and Technology Innovation, “Iranian threat actors, MOIS in particular, are no strangers to takedowns.”“Handala alone has had tens of Telegram channels, X accounts and domains taken down, and these takedowns have never slowed them down significantly,” he said. Ben Am added that it would be “trivial for Handala and its MOIS operators to get that content back up on another domain very, very soon” – a prediction that proved accurate within a single day.
