https://www.international.gc.ca Date modified: 2025-09-12
Summary
Rapid Response Mechanism Canada (RRM Canada) has detected a “hack and leak” operation by Iran-linked hacker group, “Handala Hack Team” (Handala). The operation targeted five Iran International journalists, including one from Canada. RRM Canada assesses that the operation began on July 8, 2025.
The hacked materials ranged from photos of government IDs to intimate content. They were first released via the Handala website, then further amplified via X, Facebook, Instagram, Telegram, and Iranian news websites. At the time of assessment, engagement with the hacked materials has varied from low to medium (between 0 to 2,200 interactions and 1 to 225,000 views), depending on the platform. The social media campaign appears to have stopped as of early August.
Following the aftermath of the initial “hack and leak” operation, RRM Canada also detected amplification of the leaked information through multiple AI chatbots—ChatGPT, Gemini, Copilot, Claude, Grok, and DeepSeek. These platforms all outlined detailed information about the “hack and leak” operation, providing names of the affected individuals, the nature of the leaked information, and links to the released images. RRM Canada notes that some of these chatbots continue to surface the leaked images upon request.
Many sources, including the Atlantic Council, have associated the Handala Hack group with Iran’s intelligence services. Footnote1
Targets and content
Initial “hack and leak” operation
On July 8, 2025, alleged “hacktivist” group “Handala Hack Team” claimed to have accessed the internal communication and server infrastructure of Iran International—a Farsi satellite television channel and internationally-based English, Arabic, and Farsi online news operation.Footnote2 The group released several uncensored photos of government IDs (including passports, permanent resident cards, and driver’s licences) of five Iran International staffers. In some instances, released content included email address passwords, along with intimate photos and videos. (See Annex A)
RRM Canada detected the operation on July 9, 2025, following the release of the information on a Telegram channel associated with Handala. The group claimed to have acquired information of thousands of individuals linked to Iran International, including documents and intimate images of journalists who worked for the news agency.Footnote3
On July 11, 2025, RRM Canada detected further distribution of materials on X and Facebook. The information appears to focus on a Canadian resident employed by Iran International. The leak included several photos of the individual’s ID, including their provincial driver’s licence, permanent resident card, and Iranian passport, and other personal photos and videos. Three other internationally based staff of the news agency were targeted in a similar fashion, with the release of government-issued ID on Handala’s website and then distributed online.
It is believed that more journalists have been affected by the hack, and there are suggestions that the group is also using the hacked intimate images as a source of revenue by implementing pay-for-play access to some images.
Information amplified through AI chatbots
RRM Canada tested six popular AI chatbots—ChatGPT, Gemini, Copilot, Claude, Grok, and DeepSeek—to assess whether the platforms would retrieve and share the information leaked by Handala. While the required prompts varied, all tested chatbots outlined detailed information about the operation, providing the names of the individuals implicated in the lead in addition to the nature of information. (See Annex B)
In addition to providing information, links, and, in some cases, images related to the leak, the chatbots provided citations that included links to unreliable or state-linked sources or repeated unverified accusations against Iran International regarding its credibility from Handala.
Tactics, techniques and procedures
“Hack and leak” operations are a type of cyber-enabled influence campaign where malicious actors hack into a target’s systems or accounts to steal sensitive or private information and then leak the information publicly. Operations are often implemented with the intent to damage reputations, influence public opinion, disrupt political processes, and even put personal safety at risk.
These operations are often associated with state-sponsored actors, hacktivist groups, or cybercriminals.
Links to Iranian intelligence
Handala established their web presence in December 2023. The group has limited social media presence, likely resulting from frequent violations of the platforms’ terms of service.
Atlantic Council and several threat intelligence firms (including Recorded Future, Trellix, and others) report that Handala has connections or is affiliated with other Iranian intelligence-linked groups such as Storm-842 (also known as Red Sandstorm, Dune, Void Manticore, or Banished Kitten).Footnote4 Iran International asserts that Handala and Storm-842 are the same group operating as a cyber unit within Iran’s Ministry of Intelligence.Footnote5
Implications
The leak of personal information increases the risk to the personal safety of the affected Iran International staff. The ease of access to the information resulting from search engine algorithms and availability on AI chatbots further increases this risk. Such operations are used as a form of digital transnational repression (DTNR), which is leveraged to coerce, harass, silence, and intimidate those who speak against foreign actors or against their interests.
Annex A: Sample images of leaked information
Image 1
Image 1: Government-issued ID and personal photos of a Canadian resident working for Iran International.
Image 2
Image 2: post likely from Handala Hack Team associates amplifying leaked materials.
Annex B: Large language model outputs
Image 3
Image 3: Web version of ChatGPT producing leaked images.
Image 4
Image 4: Google’s Gemini reproducing images of the leak.
Image 5
Image 5: Grok showing X posts that include leaked information.
Image 6
Image 6: Claude generating responses with a citation linking directly to Handala's website.
Image 7
Image 7: DeepSeek generating responses with a citation linking directly to Handala’s website.
In July 2024, we identified a vulnerability that resulted in access to millions of live customer support messages for organizations using Cisco Webex Connect.
After federal police came to an employee’s house to ask questions, encrypted messaging company Session has decided to leave Australia and switch to a foundation model based in Switzerland.
Organizations that get relieved of credentials to their cloud environments can quickly find themselves part of a disturbing new trend: Cybercriminals using stolen cloud credentials to operate and resell sexualized AI-powered chat services. Researchers say these illicit chat bots, which…
The man behind a massive leak of U.S. government secrets that has exposed spying on allies, revealed the grim prospects for Ukraine’s war with Russia and ignited diplomatic fires for the White House is a young, charismatic gun enthusiast who shared highly classified documents with a group of far-flung acquaintances searching for companionship amid the isolation of the pandemic.
ChatGPT for a long time on March 20th posted a giant orange warning on top of their interface that they’re unable to load chat history.
The loss of availability Ransomware causes is enough to make your day/week/s bad, the loss of data, bad month/quarter or longer.
Lockbit posted “Royal Mail need new negotiator.” Followed by “ALL AVAILABLE DATA PUBLISHED !”
What we actually found is that they published the chat history:
A Ukrainian cybersecurity researcher has released a huge batch of data that came from the internal systems of the Conti ransomware gang. The researcher released the
