Takedown: DOJ Seizes Iranian MOIS Domains Used for Global Hacking and Hit Squad Threats

The U.S. Department of Justice has struck a major blow against the Islamic Republic of Iran’s cyberwarfare infrastructure, announcing the seizure of four domains used to anchor a transnational campaign of hacking, doxing, and death threats. The operation, a joint effort by the FBI and the National Security Division, targeted sites operated by Iran’s Ministry of Intelligence and Security (MOIS) that functioned as the digital pillars for a violent “playbook” of international repression.

The seized domains—Justicehomeland[.]org, Handala-Hack[.]to, Karmabelow80[.]org, and Handala-Redwanted[.]to—were used by the MOIS to broadcast state-sponsored propaganda, leak stolen data, and incite real-world violence against journalists, dissidents, and Israeli citizens.

The FBI’s investigation revealed that these domains were not isolated websites but part of a coordinated network linked by shared leak sites, Iranian IP ranges, and a common operational strategy. This strategy included destructive cyber-attacks and “faketivist” psychological operations designed to target adversaries of the Iranian regime.

One of the most prominent personas in this network, “Handala Hack,” used the Handala-hack[.]to domain to claim responsibility for a devastating March 2026 malware attack against a U.S.-based multinational medical technologies firm. The group framed the attack as retaliation for “ongoing cyber assaults against the infrastructure of the Axis of Resistance.”

Beyond digital sabotage, the MOIS used these platforms to wage a campaign of terror against individuals. On Handala-redwanted[.]to, the regime posted the names and sensitive personally identifiable information (PII) of approximately 190 people associated with the Israeli Defense Force (IDF) and the Israeli government. The posts included chilling warnings that their residences were known and that “consequences would soon follow.”

The investigation took an even darker turn when it was discovered that the MOIS-linked email account Handala_Team@outlook[.]com was used to send explicit death threats to Iranian dissidents living in the United States and abroad. In one email sent on March 1, 2026, the group claimed to have partnered with the Jalisco New Generation Cartel (CJNG) to carry out executions.

The domain Justicehomeland[.]org was identified as a shell hacktivist entity used to punish foreign governments. In late 2022, MOIS actors used the site to leak sensitive documents stolen from Albanian government organizations. This move was a direct retaliation for Albania’s support of the Iranian dissident group Mujahedeen e-Khalq (MEK), which advocates for the overthrow of the current Iranian regime.

By circulating reputation-damaging content and threats, the MOIS sought to create a culture of fear among the Iranian diaspora and discourage independent reporting.