The FBI accuses the Iranian government of using four domains to obtain and sell stolen information from the Albanian government, Iranian dissidents, Israeli government officials and U.S. companies. In a 40-page document, the FBI outlines several digital campaigns launched by Iran’s Ministry of Intelligence and Security (MOIS), through multiple online users, most of whom appear under the name Handala.
In court documents, the Justice Department provided much information about the nature of the attacks. Albania and Mexican cartels The FBI said the Handala website was linked to other domains used by Iran’s MOIS in operations dating back to 2022.
One of the websites was used to host information stolen from Albania during two cyberattacks on the country’s government in 2022. The first hack occurred in July 2022, ahead of a conference in Albania that was to be attended by members of the Mujahideen-e Khalq, also known as the MEK, an Iranian group that Tehran considers a terrorist organization. The incident knocked out several government services, prompting officials to rush to recover.
In September 2022, Albanian Prime Minister Edi Rama announced a second cyberattack that hit the country’s Total Information Management System, which helps automate things like passport checks and cross-reference people in fugitive databases. The Cybersecurity and Infrastructure Security Agency (CISA) later said that Iranian hackers had been inside Albania’s networks for more than a year.
The cyberattack gave Iranian actors access to Albanian government email systems, and they stole information that included correspondence between the U.S. and Albania. FBI Director Kash Patel said in a statement that the agency “is not finished” uncovering Iranian cyber operations. The State Department issued a $10 million reward for information on anyone who participated in the creation of the websites or was involved in the cyberattacks.
A group claiming to be Handala created a new website where it responded to the blockades and threatened further cyberattacks. Israeli officials claimed this week that some of the Iranian leaders behind Handala were recently killed in airstrikes. FBI agent’s court testimony 29. On July 15, 2022, the Albanian government reported that many government computer systems were targeted by a large-scale cyberattack.
The attack resulted in multiple Albanian government servers going down at the same time and the loss of a lot of sensitive data from these servers. According to an open report, the cyberattack had several phases from May 2021 to August 2022 including: targeting computer infrastructure; exploiting vulnerabilities in order to inject various data; installing ransomware and programs to corrupt data from these computers; and acting without authorization to extract data from these computers online to intimidate government personnel and force political change. 30. In response to this cyberattack, the FBI deployed personnel to Albania to assist in the response to this attack, data recovery, and technical analysis.
The FBI investigation verified the timing of the attack and provided a full summary of how it was carried out. According to the FBI’s technical analysis, the attackers gained access to the Albanian Government’s computer network around May 2021 through the use of a Microsoft SharePoint server. The attackers maintained continuous network access after this intrusion, periodically accessing email content or other materials from the servers.
In May 2022, the attackers moved into an organized attack. During this phase, the attackers scanned the servers for vulnerabilities, tested access, and looked for additional intrusions in preparation for the next phase of the attack. Around July 15, 2022, the actors launched a destructive attack against the servers. 31. At the time of this cyberattack, the servers were hosting, among other things, communications between Albanian government officials and U.S. government officials on various diplomatic, national security, or intelligence matters.
These communications were among the information that leaked from the systems and was destroyed during the attack. 32. During and after the attack, a group called “Homeland Justice” took credit for the attack online. Homeland Justice posted a video on its website about the attack it carried out and later released images of documents belonging to the Albanian government. Based on their message, the motivation came from the Albanian government’s decision to support an Iranian dissident group called the Mujahedeen e-Khalq, or “MEK.” The MEK has openly advocated for the overthrow of the Iranian government in the past. The FBI agent in his testimony says that Homeland Justice, Karma Below, Handala Hack are operated by MOIS Iranian, the Iranian intelligence agency.
“For example, Homeland Justice, which hacked the Albanian government in 2022, is the same as Handala Hack or Karma Below, because all three actors consistently target Iran’s enemies through their psychological operations,” the FBI agent states in court.
“Based on the characteristics of the data that was stolen in Albania in 2022 and the fact that a Homeland Justice user was attempting to sell that data, it is highly likely that the data to be sold was that taken from Albanian government computers during the July 15, 2022 and September 9, 2022 cyberattacks,” says the FBI agent.
In his testimony, a screenshot of the FBI agent’s conversation with Homeland Justice is also provided, where he asks for information and Homeland replies that it has e-Albanian and ID cards for Albanian citizens.
“Following these exchanges of messages, around March 4, 2025, the person at Homeland sold a database to the FBI employee, while he was working undercover in the District of Maryland. A screenshot of the database sold to the FBI employee clearly showed that the file contained ID card numbers, names, dates of birth, addresses, and other sensitive personal information. The information was found to expose sensitive data of Albanian citizens, which could be used to steal identities,” the FBI agent reports./ newsbomb.al
