The Federal Bureau of Investigation and the Department of Justice seized two websites linked to the pro-Iranian hacktivist group Handala on Thursday. Law enforcement officials took action following the group's claim of responsibility for a destructive cyberattack against U.S. medical technology giant Stryker. The move marks a significant escalation in the government's response to foreign-backed cyber operations targeting critical infrastructure and corporate networks.
The seized domains previously hosted logs detailing the group's hacking activities and sensitive information gathered on individuals associated with the Israeli military. TechCrunch confirmed the takedown by examining nameserver records, which now point to servers controlled by the Federal Bureau of Investigation headquarters. A banner displaying the law enforcement action replaced all original content on the platforms as of Thursday morning, signaling a definitive end to public access.
Officials stated that authorities determined the domains facilitated malicious cyber activities in coordination with a foreign state actor to support ongoing operations. The United States Government has taken control of these assets to disrupt ongoing operations and prevent further exploitation of U.S. networks by hostile entities. The announcement did not specify the exact legal mechanisms used to execute the seizure or the full scope of the investigation into the group's funding sources.
In a series of posts on their official Telegram channel, Handala members acknowledged the takedown and described it as a desperate attempt to silence their voice. The group claimed that this act of digital aggression highlights the fear their actions have instilled in the organizations they target and the governments they oppose. Their associated X account was also suspended, though they stated the pursuit of justice cannot be stopped by taking down a website or censoring their message.
Handala has been active at least since the October seven, 2023, attacks by Hamas and is believed to maintain ties with the Iranian regime and its military branches. The group targeted Stryker last week in retaliation for a U.S. government missile strike that hit an Iranian school, killing at least 175 people during the incident. Most of the victims reported were children, according to initial reports regarding the strike that precipitated the cyber incident against the medical company.
The hackers reportedly broke into an internal Stryker administrator account to gain near-unlimited access to the company's Windows network infrastructure. They allegedly took over Stryker's Intune dashboards, a tool designed to manage employee laptops and mobile devices remotely across global locations. This access included the ability to delete data, which investigators say allowed the group to wipe devices owned by both the company and its staff effectively.
Stryker employs over 56,000 people across dozens of countries and signed a 450 million dollar contract to supply medical devices to the Department of Defense last year. On Tuesday, the company stated it is still restoring its computers and internal network following the significant breach and subsequent data loss. The disruption affects critical operations within the healthcare sector, raising broader concerns about supply chain security and the resilience of medical device manufacturers.
Nariman Gharib, a U.K.-based Iranian activist and independent cyber-espionage investigator, told TechCrunch that the takedowns are good news for global security. He noted that the group's organizational and management structure is currently disrupted, and members may face further physical threats from state actors. However, he warned that future leaks may still be published by media outlets close to the IRGC, continuing the information war despite the domain seizures. Security analysts suggest that while direct control is lost, the ideological drive remains unchanged within the network.
This incident underscores the growing trend of state-sponsored actors using hacktivist proxies to conduct cyber espionage and sabotage against Western companies. Prior events involving similar groups suggest that website seizures often serve as a temporary disruption rather than a permanent neutralization of the threat. Security experts warn that the underlying motivation remains intact despite the loss of public-facing infrastructure and communication channels.
The FBI and Justice Department did not immediately respond to requests for comment regarding the specific legal basis for this action or the timeline of the seizure. As the investigation continues, organizations must remain vigilant against coordinated attacks targeting their internal management systems and remote access tools. The next phase of this conflict will likely involve renewed cyber operations or information campaigns through alternative channels outside the seized domains.
