Iranian Hackers Target US Service Members with Threatening WhatsApp Messages, Dox Thousands of Marines
WASHINGTON — The U.S. military has confirmed that Iranian-linked hackers are actively targeting American personnel with threatening text messages and cyberattacks, marking a significant escalation in online warfare as the conflict with Iran enters a fragile ceasefire period .
A hacker group known as Handala Hack — an Iran-linked collective associated with the country’s Ministry of Intelligence and Security — has sent direct threats via WhatsApp to U.S. service members stationed in Bahrain and elsewhere in the Middle East, warning them of imminent drone and missile attacks .
“Your identities are fully known to our missile units, and every move you make is under our surveillance. Very soon, you will be targeted by our Shahed drones and Kheibar and Ghadeer missiles.” — Message sent to U.S. troops, signed by “Handala”
The group claims to have published the complete personal information — including names and identifying details — of 2,379 U.S. Marines deployed in the Persian Gulf, releasing the data on its public Telegram channel as “proof of surveillance capabilities” . The group further claims to have obtained deeper layers of data, including family information, home addresses, daily routines, and troop movements .
🎯 Who Is Behind the Attacks
Handala Hack — also tracked as Banished Kitten, Dune, Red Sandstorm, and Void Manticore — has been active since at least 2008 and has been officially linked by the U.S. Department of Justice to Iran’s Ministry of Intelligence and Security (MOIS) . This distinguishes the group from IRGC-affiliated actors, characterizing its operations as psychological warfare and intelligence-gathering rather than purely military disruption.
The group’s recent activities include:
- March 2026: A disruptive cyberattack on U.S. medical technology giant Stryker, where the group claimed to have wiped over 200,000 systems using compromised administrator credentials
- April 2026: The hacking of FBI Director Kash Patel’s personal Gmail account, with the group publishing photographs of Patel and his résumé online
- April 2026: A similar wave of threatening WhatsApp messages sent to Israeli citizens, warning them to prepare for missile attacks
🛡️ Pentagon Response
The Pentagon has launched an investigation into the data breach, with early findings showing that at least some of the leaked personal information is authentic . The Navy earlier this month advised all sailors to secure their phones and social media accounts amid increasing online threats .
Then-Navy Secretary John Phelan warned in a memo that adversary cyber actors were conducting a “social engineering campaign” actively targeting Navy personnel and their families “via individual phishing attempts and social media accounts” .
Guidance for service members:
- Do not respond to suspicious messages
- Avoid clicking on links or downloading attachments
- Report suspicious communications to IT departments immediately
- Review privacy settings on social media accounts
🌐 Cyber Warfare Escalates Alongside Military Conflict
The cyberattacks come as the U.S. maintains a naval blockade of Iranian ports and a fragile ceasefire holds following two months of direct military conflict. While kinetic hostilities have paused, the online war has intensified, with Handala’s messaging explicitly referencing the Minab schoolchildren — 168 children, teachers, and staff killed in a US-Israeli airstrike on a school in southern Iran on the first day of the war .
This shift toward targeting military personnel through personal communication channels is a significant escalation for Handala, which previously focused primarily on corporate and infrastructure targets . Cybersecurity analysts view the group as part of a broader Iranian intelligence ecosystem that combines data theft with psychological operations aimed at intimidation .
“The goal is psychological damage and data collection, not just technical disruption.” — SOCRadar analysis of Handala’s operations
The group’s motto reflects its long-term objectives: “We will continue until our last breath. We will take revenge for every drop of blood spilled” .
📋 Key Takeaways
| Aspect | Summary |
|---|---|
| Attacking Group | Handala Hack (linked to Iran’s Ministry of Intelligence and Security) |
| Targets | US service members in Bahrain and Middle East; 2,379 Marines’ data leaked |
| Method | WhatsApp threats; doxing via Telegram; social engineering campaigns |
| Threats Issued | Claims of imminent Shahed drone and missile strikes |
| Data Breach | Personal info including home addresses, family details, and daily routines |
| Pentagon Response | Investigation launched; service members advised to secure devices |
| Previous Activities | Stryker cyberattack (200,000+ systems), FBI Director Kash Patel’s email hack, threats to Israeli citizens |
| Official US Designation | Department of Justice links Handala to Iran’s MOIS |
Follow Reflecto News for continuous updates on the cyber front, the investigation into the data breach, and all breaking news from the Iran-US conflict.