The FBI has seized two clearnet websites belonging to Handala, the Iranian-linked hacktivist group that wiped roughly 80,000 devices at medical technology company Stryker in a destructive cyberattack.
Seizure banners now appear on handala-redwanted[.]to and handala-hack[.]to, stating the domains were taken under a warrant issued by the U.S. District Court for the District of Maryland. The notices say law enforcement determined the sites “were used to conduct, facilitate, or support malicious cyber activities on behalf of, or in coordination with, a foreign state actor.” Both domains now resolve to FBI nameservers — ns1.fbi.seized.gov and ns2.fbi.seized.gov — the same infrastructure the bureau uses routinely when seizing domains. No official announcement from the FBI or the Justice Department has accompanied the action.
Whether agents obtained only the domain names or also gained access to server content and logs is not known, according to the report.
The Stryker attack, which preceded the seizures, involved Handala compromising a Windows domain administrator account and creating a new Global Administrator account. From there, the group issued Microsoft Intune’s factory reset — or “wipe” — command across the company’s device fleet. The roughly 80,000 affected devices included computers and mobile phones; employees whose personal devices were enrolled in the company’s device management system lost their personal data as well. No additional malware was required to execute the destruction.
Handala, also tracked under the names Handala Hack Team, Hatef, and Hamsa, first surfaced in December 2023. Researchers have linked the group to Iran’s Ministry of Intelligence and Security. Its prior operations targeted Israeli organizations with wiper malware built to destroy Windows and Linux systems.
Group Vows to Continue Operations
Handala acknowledged the seizures publicly via Telegram, framing them as a logistical challenge rather than a setback. “Building a new digital base is a complex and time-consuming process,” the group wrote, adding, “we remain committed to continuing our mission without interruption.” The post said the group is working to establish new websites to announce future attacks.
More Read
Government Response to the Stryker Breach
Microsoft and the Cybersecurity and Infrastructure Security Agency issued guidance following the Stryker incident, advising organizations on how to harden Windows domain configurations and restrict access within Microsoft Intune to prevent similar attacks. The Intune wipe command — a legitimate enterprise tool — had not previously featured prominently in threat actor playbooks at this scale.
The seizure marks the U.S. government’s first known direct enforcement action against Handala’s infrastructure since the group began operations.
This article is a curated summary based on third-party sources. Source: Read the original article
