The FBI has seized two websites linked to the Handala hacktivist group after the threat actors carried out a destructive cyberattack on medical technology company Stryker that reportedly wiped out about 80,000 devices.
The group’s clearnet domains, handala-redwanted[.]to and handala-hack[.]to, now show a seizure notice saying the sites were taken over under a warrant issued by the U.S. District Court for the District of Maryland.
The notice says the domains were used to conduct, support, or help facilitate malicious cyber activity on behalf of, or in coordination with, a foreign state actor. It adds that the action was taken to disrupt ongoing operations and prevent further abuse.
Although law enforcement has not yet made a formal public announcement, the domains’ name servers have reportedly been changed to ns1.fbi.seized.gov and ns2.fbi.seized.gov, which are commonly used in FBI domain seizures.
It is still unclear whether the FBI only seized the domains or also gained access to the websites’ content and server logs.
Handala, also known as Handala Hack Team, Hatef, and Hamsa, is an Iranian-linked pro-Palestinian hacktivist group that first emerged in December 2023. The group has been tied to operations reportedly connected to Iran’s Ministry of Intelligence and Security. Its attacks have mainly targeted Israeli organizations using destructive malware built to wipe both Windows and Linux systems.
The seizure comes after Handala’s major cyberattack on Stryker. In that incident, the attackers reportedly compromised a Windows domain administrator account and then created a new Global Administrator account to expand control over the environment.
They then used Microsoft Intune’s wipe feature to factory reset about 80,000 devices, including computers and mobile phones. Some employees also said their personal devices were wiped because they had been enrolled in company management systems.
Handala has since responded to the seizures on Telegram, saying it now needs more resilient infrastructure and is working on new websites to continue publishing its operations.
The group said building a new digital base would take time, but claimed it remained committed to continuing its mission without interruption.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
After the Stryker incident, Microsoft and CISA issued guidance to help organizations better protect Windows domains and secure Intune environments against similar attacks.
