The FBI seized and took down two websites linked to the pro-Iranian hacktivist group Handala, which last week claimed responsibility for a destructive cyberattack against the U.S. medical tech giant Stryker.
As of Thursday, the contents of a website where Handala publicized its hacks, as well as another website that the group used to dox dozens of people over their alleged ties to the Israeli military and defense contractors, such as Elbit Systems and NSO Group, were replaced by a banner announcing the law enforcement action.
The seizure announcement did not say why the FBI and the Justice Department took down the websites. But the language in them appears to indicate U.S. authorities believed these sites were run by hackers linked to a foreign government.
“Law enforcement authorities determined this domain was used to conduct, facilitate, or support malicious cyber activities on behalf of, or in coordination with, a foreign state actor,” read the seizure announcement. “The United States Government has taken control of this domain to disrupt ongoing malicious cyber operations and prevent further exploitation.”
TechCrunch confirmed the website’s seizure by examining its nameserver records, which now point to servers controlled by the FBI.
The FBI and the Justice Department did not immediately respond to TechCrunch’s request for comment.
In a series of announcements posted on the group’s official Telegram channel on Thursday, Handala acknowledged its websites were taken offline, calling the seizures “a desperate attempt to silence our voice.”
“This act of digital aggression only serves to highlight the fear and anxiety our actions have instilled in the hearts of those who oppress and deceive,” the hackers wrote. “Although they attempt to erase the evidence and hide their crimes through censorship and intimidation, their actions only confirm the impact of our mission. The pursuit of justice cannot be stopped by taking down a website, the movement for truth will persist and grow stronger.”
Handala’s X account was also recently suspended.
The group did not respond to a message sent to their official chat account.
Handala has been active at least since the October 7, 2023 attacks by Hamas, and is believed to have ties with the Iranian regime. Last week, the group claimed the attack on U.S. medical company Stryker, which has over 56,000 employees across dozens of countries. The hackers said the hack was in retaliation for the U.S. government missile strike that hit an Iranian school, killing at least 175 people, most of them children.
Last year, Stryker signed a $450 million contract to supply medical devices to the Department of Defense.
Handala reportedly broke into an internal Stryker administrator account, gaining near-unlimited access to the company’s Windows network. At that point, the hackers allegedly took over Stryker’s Intune dashboards, a tool that was designed to allow the company to manage employee laptops and mobile devices remotely, which included the ability to delete data.
With access to these dashboards, the hackers were reportedly able to wipe devices owned by both the company and its own employees.
On Tuesday, Stryker said it is still restoring its computers and internal network following the hack.
Nariman Gharib, a U.K.-based Iranian activist and independent cyber-espionage investigator, told TechCrunch that the takedowns are good news.
“Their organizational and management structure is currently disrupted, and at any moment, members of this group may be targeted by missile strikes, just like other cyber forces of the regime,” Gharib told TechCrunch.
“But this does not mean that their activities may stop — no. It is possible that future leaks may be published by this group through media close to the IRGC,” referring to the country’s military.
