The U.S. Justice Department has seized four domains tied to Iran-linked cyberattacks, disrupting what officials describe as a coordinated effort to combine hacking with online intimidation and propaganda.

The domains—Justicehomeland[.]org, Handala-Hack[.]to, Karmabelow80[.]org, and Handala-Redwanted[.]to—were allegedly operated by Iran’s Ministry of Intelligence and Security (MOIS). According to investigators, these sites were used to claim responsibility for cyberattacks, publish stolen data, and issue threats targeting journalists, dissidents, and individuals linked to Israel.

This action highlights a shift in how Iran-linked cyberattacks are being carried out—moving beyond system breaches into public messaging and pressure tactics.

Iran-Linked Cyberattacks Used Fake Hacktivist Fronts

Authorities say the domains were connected through shared infrastructure, including Iranian IP ranges and common leak platforms. More importantly, they followed a similar pattern of activity.

The sites operated under the guise of hacktivist groups, but investigators say they were part of a state-backed effort. This included launching disruptive cyberattacks, leaking sensitive data, and amplifying the impact by publicly claiming responsibility.

One such platform, Handala-hack[.]to, was used to claim a March 2026 malware attack on a U.S.-based medical technology company. The group framed the attack as retaliation linked to ongoing geopolitical tensions.

This mix of hacking and messaging is becoming a defining feature of Iran-linked cyberattacks, where the goal is not just access, but visibility.

Data Leaks and Threats Target Individuals Directly

The same infrastructure was also used to expose personal data and issue threats.

According to court documents, the Handala-redwanted[.]to domain published identifying details of nearly 190 individuals associated with the Israeli Defense Force and government. The posts included messages suggesting these individuals were being tracked and could face consequences.

Other posts named individuals allegedly linked to Israeli institutions, warning that their locations were known and encouraging others to act. In another instance, the group claimed to have stolen 851 gigabytes of data from members of the Sanzer Hasidic Jewish community, along with a warning that more information would follow.

These actions show how Iran-linked cyberattacks are increasingly focused on individuals, not just organizations.

Threats Extended Beyond Websites

Investigators found that the campaign did not stop at public posts. Email accounts tied to the same operation were used to send direct threats to journalists and Iranian dissidents living in the United States and abroad.

In some messages, the senders claimed to have shared victims’ home addresses and offered financial rewards for acts of violence. The emails also referenced alleged links to criminal groups, adding another layer of intimidation.

The use of direct communication alongside public leaks suggests a more aggressive approach in Iran-linked cyberattacks, where the aim is to pressure targets both publicly and privately.

Justice Department Targets Infrastructure Behind Iran-Linked Cyberattacks

The Justice Department’s move focused on taking down the infrastructure enabling these activities.

“Terrorist propaganda online can incite real-world violence — thanks to our National Security Division and the U.S. Attorney’s Office for the District of Maryland, this network of Iranian-backed sites will no longer broadcast anti-American hate,” said Attorney General Pamela Bondi.

FBI Director Kash Patel added, “Iran thought they could hide behind fake websites and keyboard threats to terrorize Americans and silence dissidents. We took down four of their operation’s pillars and we’re not done. This FBI will hunt down every actor behind these cowardly death threats and cyberattacks and will bring the full force of American law enforcement down on them.”

Officials also confirmed that the domains Justicehomeland[.]org and Karmabelow80[.]org had previously been used to claim responsibility for data theft targeting Albanian government systems, linked to tensions over support for an Iranian dissident group.

Iran-Linked Cyberattacks Show a Broader Shift

The takedown reflects a wider pattern. Iran-linked cyberattacks are no longer limited to stealing data or disrupting systems—they are being used to send messages, target individuals, and amplify political narratives.

By combining cyberattacks with data leaks and direct threats, these campaigns extend their reach beyond technical impact. The Justice Department’s action removes part of that network, but it also points to how these operations are evolving.

For now, the focus is on disruption. But the methods behind these Iran-linked cyberattacks suggest this kind of activity is unlikely to disappear anytime soon.