In December 2025, the Iranian-linked hacking group Handala claimed to have fully compromised the mobile devices of two prominent Israeli political figures. <\/p>\n
However, detailed analysis by Kela cyber intelligence researchers revealed a more limited scope\u2014the breaches targeted Telegram accounts specifically, not complete device access. <\/p>\n
The group claimed to have breached former Prime Minister Naftali Bennett\u2019s iPhone 13 during Operation Octopus, releasing contact lists, photos, videos, and approximately 1,900 chat conversations. <\/p>\n
Shortly after, they claimed similar access to Tzachi Braverman\u2019s device, the Israeli Chief of Staff. Despite these dramatic claims, the actual breach exposed critical gaps in account security rather than device-level compromise.<\/p>\n
Kela analysts conducted forensic examination<\/a> of the leaked materials and identified that most of the exposed conversations were empty contact cards automatically generated by Telegram during synchronization. <\/p>\n Only about 40 conversations contained actual messages, with even fewer showing substantial exchanges. All exposed contacts linked to active Telegram accounts, confirming the data originated from Telegram itself. <\/p>\n Kela researchers and analysts noted<\/a> that the incident highlighted serious vulnerabilities in session management and account security practices, even on encrypted messaging platforms.<\/p>\n Understanding the infection and account takeover mechanism reveals how Handala compromised these accounts without full device access. <\/p>\n The group likely employed multiple attack vectors including SIM swapping, where attackers assume control of the victim\u2019s phone number to receive login verification codes. <\/p>\n They could also exploit SS7 protocol weaknesses in telecommunications infrastructure to intercept SMS messages at the network level. Additionally, Handala may have utilized sophisticated phishing campaigns that captured one-time passwords through fake login pages or malicious QR codes<\/a>.<\/p>\n Session hijacking represented another probable vector, where attackers copied the tdata folder from Telegram Desktop\u2014the authentication file containing active session data that grants full account access when restored elsewhere, bypassing OTP and multi-factor authentication entirely.<\/p>\n The group\u2019s operational approach also included harvesting OTP codes through multiple techniques: triggering verification via voice calls, extracting codes from voicemail by exploiting unchanged default PINs, or impersonating Telegram support to socially engineer staff into disclosing credentials. <\/p>\n Telegram\u2019s default settings significantly amplified these risks. The cloud password feature remains optional and disabled by default, meaning possession of an OTP alone provides complete account access. <\/p>\n Standard chats lack end-to-end encryption, storing data on Telegram servers as cloud chats rather than locally, expanding the attack surface considerably.<\/p>\n Handala first emerged in December 2023, establishing presence across multiple cybercrime forums and operating various Telegram channels and social media accounts. <\/p>\n Their operations primarily targeted Israeli companies and organizations, consistently demonstrating support for Iran and Palestinian causes throughout their campaigns<\/a>, indicating state-sponsored or state-sympathetic motivations.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post Handala Hackers Targeted Israeli Officials by Compromising Telegram Accounts<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"Contacts](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhrgqVnT-mjcNlaFZTVQKTxfCkbNLpMtfTSubKOzt2uM-dSWxxJbbgDCFpanERxajpsRvjVEuN01CtJQcB4YPQQPkaZK0AkYs7Nl4MXUMFPTz_v39V174T9KcwSEb1yAiKx2dCcgFC6tyWi_GiiRlf2Bramzuzm0O7h4A2Xl-wyfjv-EPcLF8cTx1ZxZkU\/s16000\/Contacts%2520were%2520linked%2520to%2520active%2520Telegram%2520%28Source%2520-%2520Kela%29.webp?ssl=1\")
\nSession hijacking<\/strong> <\/h2>\n
![\"Leaked](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjZywEikDEfxOoxzhiqfYV1o4VOLQHgu7CgOkal6hpVYPLN3mIOF7XKJjWWeM8ToGf2Atcg9MqsxAlSFr2gdG_XY5uC-ltSEAISjSh8RjGTn1GGSoMh_Te-94ErF07LfBNql_bFLxVfdt3icQmN_VjvU4Wo4EnG_-pwStc0vskXBZ8GLVz-n4xHuSjN1qA\/s16000\/Leaked%2520data%2520%28Source%2520-%2520Kela%29.webp?ssl=1\")
![\"Handala](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjqSTdwzsSqrEsECMlhn1POTTMekCv8MyazKJfKPbpfLIoO0fma4EzDTI_rtgxVBzpmvqbW-bQRApbIVi2tF_k09l6XxAdyrIWc8PjLzYAC2couiwm1QLCk1GReIycvv_h82L43cIHh8RzRMNZpactvzIQ1Y9YnUgB_ajaDgqjVlK-qTLoiiT6hP9bWqhc\/s16000\/Handala%2520post%2520on%2520cybercrime%2520platform%2520BreachForums%2520%28Source%2520-%2520Kela%29.webp?ssl=1\")