editorially independent. We may make money when you click on links
to our partners.
Learn More
An Iranian-linked hacking group is claiming to have fully compromised the phones of senior Israeli officials, but investigators say the real story is more nuanced.
In December 2025, the group known as Handala alleged it had gained complete access to the mobile devices of former Israeli Prime Minister Naftali Bennett and Israeli Chief of Staff Tzachi Braverman.
The “… analysis reveals the breaches were limited to Telegram accounts only, not complete phone access,” said Kela researchers.
What the Telegram Data Exposure Revealed
Even without full device access, control of a messaging account used by senior officials can expose sensitive communications, networks of contacts, and operational context.
The incident underscores how account takeovers — especially on trusted messaging platforms — can deliver intelligence value comparable to more sophisticated malware-based attacks.
Kela’s analysis found that the leaked data attributed to Bennett originated from Telegram itself, not from forensic extraction of an iPhone.
Handala claimed to have accessed roughly 1,900 conversations, along with photos, videos, and contact lists.
In reality, most of the exposed chats were empty contact cards automatically generated during Telegram synchronization.
Only around 40 conversations contained actual messages, with even fewer showing substantive exchanges.
All exposed contacts were linked to active Telegram accounts, reinforcing that the breach stemmed from account access rather than device compromise.
How Handala Compromised Telegram Accounts
Researchers think Handala relied on a mix of well-known but still effective techniques to compromise Telegram accounts.
One likely vector was SIM swapping, which allows attackers to receive Telegram’s login verification codes by taking control of a victim’s phone number.
Another possibility involves exploitation of SS7 signaling weaknesses in telecommunications networks, enabling interception of SMS-based one-time passwords.
Attackers may have also used fake Telegram login pages, malicious QR codes, or impersonation of support personnel to trick victims into revealing verification codes.
In some cases, attackers could trigger voice-call delivery of one-time passwords and retrieve them from voicemail systems protected by default or unchanged PINs.
Telegram Desktop Session Hijacking Explained
One concerning vector identified by the researchers involves session hijacking through Telegram Desktop.
The application stores active authentication data in a directory known as the tdata folder.
If attackers obtain this folder — through prior system access, malware on a secondary device, or insider compromise — they can restore it on another system and gain full account access without triggering one-time passwords or multi-factor authentication.
Telegram’s optional cloud password, which adds a second authentication factor, is disabled by default.
As a result, possession of a single valid verification code can grant complete account access.
Additionally, standard Telegram chats are not end-to-end encrypted and are stored as cloud chats on Telegram servers, expanding the amount of data exposed during an account takeover.
Reducing Risk in Messaging App Security
Reducing risk requires a combination of stronger identity controls, tighter platform governance, and enhanced visibility into account behavior.
- Enforce phishing-resistant authentication, enable Telegram’s cloud password feature, and regularly audit active sessions to reduce the risk of account takeover.
- Reduce SIM-based attack exposure by implementing carrier-level port-out protections and minimizing reliance on SMS or voice-based verification for high-risk users.
- Monitor for anomalous messaging account behavior, including new device logins, unexpected session persistence, and changes to security settings.
- Harden endpoint security on executive devices to prevent session hijacking, including monitoring access to messaging application authentication files.
- Restrict how messaging platforms are used by defining policies that limit sensitive discussions and require secure alternatives for high-risk communications.
- Provide targeted security awareness training for executives and staff most likely to be targeted by state-aligned threat actors.
These measures help build cyber resilience and reduce blast radius.
Political Hacktivism Meets Messaging Platforms
Handala first emerged in late 2023 and has since maintained a sustained focus on Israeli organizations and individuals, pairing its operations with overt pro-Iranian and pro-Palestinian messaging.
In the wake of the Telegram breaches, the group promoted the stolen data on platforms such as BreachForums, framing the operation as a psychological and political statement rather than a display of technical sophistication.
The emphasis on publicity and narrative impact highlights how data theft is increasingly used to influence perception, intimidate targets, and amplify ideological goals.
More broadly, the activity underscores a persistent reality: messaging platforms, collaboration tools, and cloud services remain attractive targets when default configurations, session controls, and identity protections are insufficient.
As groups like Handala exploit weak identity and session controls, organizations must adopt zero-trust principles that continuously verify users and behavior.
