Iranian Hackers Leak Former IDF Chief’s Private Files in Post-Ceasefire Psychological Strike
IRGC-linked group released 19,000+ images and documents from Herzi Halevi's devices one day after Trump ceasefire announcement, marking shift toward personal targeting of military leadership.
Iranian state-sponsored hackers released over 19,000 private photos, videos, and operational documents belonging to former IDF Chief of Staff Herzi Halevi on April 9, 2026—one day after President Trump announced a ceasefire between the US, Israel, and Iran. The breach, executed by the Handala group and assessed by the US Department of Justice to be controlled by Iran’s Ministry of Intelligence and Security, represents an escalation in Tehran’s psychological warfare strategy during a critical diplomatic window.
“For years, Handala has silently and relentlessly been right at the heart of General Herzi Halevi’s system, the former Chief of Staff of the Zionist Army, watching, recording, and collecting everything that matters.”
— Handala hacker group statement
The leaked materials include photos of Halevi meeting Jordanian military chief Maj. Gen. Yousef Huneiti in Jordan and former US Central Command chief Michael Kurilla in Qatar—both previously undisclosed meetings, according to a Times of Israel report. The breach also exposed unblurred faces of Israeli pilots, commanders, and security operatives alongside family photos and personal documents spanning Halevi’s tenure as Chief of Staff from January 2023 to March 2025.
Timing Signals Strategic Intent
The release came hours after Trump announced a two-week suspension of bombing operations, with the reopening of the Strait of Hormuz as a key condition. The timing suggests Iran held the compromised data in reserve, waiting for maximum psychological impact during a ceasefire window when kinetic operations paused but information warfare continued.
“There’s no reason to assume this attack was carried out recently,” Gil Messing, Chief of Staff at Check Point Software Technologies, told i24NEWS. “It is entirely possible they simply sat on the material and waited for what they saw as the right moment to release it.”
Herzi Halevi served as IDF Chief of Staff from January 16, 2023 to March 5, 2025, resigning to take responsibility for October 7 intelligence failures. The 56-year-old former general held one of Israel’s most sensitive military positions during a period of heightened regional tensions and classified strategic planning.
Messing also observed that Iranian cyber operations have intensified following the ceasefire announcement. “As in the past, the fact that there is a ceasefire in the kinetic war does not mean the cyberwar stops,” he told YNet News. “On the contrary, after Operation Rising Lion, we saw an increase in attacks from Iran following the ceasefire.”
Pattern of Elite Targeting
Handala has systematically breached devices belonging to Israel’s military and political leadership over the past year. Previous targets include former Prime Minister Naftali Bennett, former Defense Minister Yoav Gallant, Benny Gantz, and Prime Minister Netanyahu’s chief of staff Tzachi Braverman, according to Haaretz.
The targeting of a former rather than current military leader marks a tactical evolution. By exposing retired officials’ private communications and operational history, Tehran aims to undermine confidence among active commanders who may fear similar exposure after leaving office. The psychological message is explicit: Iranian intelligence can reach into the personal lives of Israel’s military elite at will, with no statute of limitations.
Attribution and Infrastructure
The US Department of Justice confirmed in March 2026 that Handala operates under the control of Iran’s Ministry of Intelligence and Security, not as an independent hacktivist collective. Assistant Attorney General John A. Eisenberg stated that Iran “used the seized domains to dox and harass dissidents and journalists, incite violence against Jewish communities, and spread Tehran’s anti-American propaganda,” according to a Justice Department press release.
Cybersecurity researchers link Handala’s operations to APT33 (also known as Elfin), an IRGC-affiliated group active since 2013 that targets aerospace, defense, and energy sectors. The group has deployed destructive malware including SHAPESHIFT and espionage tools across the Middle East, according to LevelBlue SpiderLabs.
Verification Challenges
Israeli defense authorities have not independently confirmed the authenticity of all 19,000 files claimed by Handala. The scope of the breach—whether it compromised Halevi’s personal cloud storage, mobile devices, or military communications infrastructure—remains unclear. According to Calcalistech, security experts assess the leak as primarily targeting personal accounts rather than classified military networks, though the disclosed meeting photos suggest access to operational planning materials.
The breach methodology likely involved social engineering or device compromise rather than penetration of IDF’s classified network infrastructure. Iran’s shift toward personal device targeting reduces technical barriers while maximising psychological impact—family photos and private conversations prove more damaging to morale than stolen technical specifications.
- Iran demonstrated capability to maintain multi-year covert access to senior Israeli military leadership’s personal devices
- Psychological warfare now targets individual officials’ privacy and post-service vulnerability rather than institutional systems
- Ceasefire windows may incentivise accelerated cyber operations as substitute for kinetic strikes
- Personal cloud security among military leadership emerges as critical vulnerability independent of classified network defenses
Broader Context
The leak occurred as negotiations over the ceasefire terms remained contested. The agreement announced April 8 included a two-week suspension of bombing operations and provisions for reopening the Strait of Hormuz, through which roughly 21% of global petroleum passes. Oil markets responded to the announcement with West Texas Intermediate crude trading at $98.55 per barrel on April 10.
Iran’s choice to escalate cyber operations immediately following the ceasefire announcement signals that Tehran views information warfare as a parallel theater distinct from kinetic conflict. By releasing compromising material during diplomatic negotiations, Iran demonstrates continued operational tempo while maintaining technical compliance with bombing suspension terms.
The breach also exposes the challenge facing former officials who retain security clearances and institutional knowledge but lack the protective infrastructure of active service. Halevi’s meetings with Jordanian and US military leaders—now public—may complicate future Israeli diplomatic efforts and strain relationships with regional partners who expected confidentiality.
Israeli Response
Israeli defense officials have not issued public comment on the breach’s scope or authenticity as of April 10. The silence likely reflects both operational security concerns and the political sensitivity of acknowledging successful Iranian intelligence operations against former senior leadership.
The leak’s framing—”We are the shadow at the heart of your command”—aims to sow distrust within Israeli military circles about operational security and the long-term risks of serving in sensitive positions. Whether active commanders modify their personal device usage or communication habits in response will determine the breach’s strategic impact beyond immediate embarrassment.
Near-Term Developments
The ceasefire’s two-week timeline expires April 22, with negotiations over longer-term terms ongoing. Iranian cyber operations during this window will test whether information warfare remains decoupled from kinetic strike constraints or whether additional leaks trigger Israeli retaliation that undermines diplomatic progress.
Handala’s statement suggested additional material remains unreleased, indicating potential for further psychological operations timed to diplomatic pressure points. The group’s demonstrated patience in holding compromised data for strategic release suggests future disclosures may target active officials or coincide with sensitive negotiations.
West Texas Intermediate crude prices and Strait of Hormuz shipping volumes offer real-time proxies for ceasefire stability, with any disruption likely triggering immediate market response. Israeli officials face the challenge of responding to the Halevi breach without appearing to prioritise individual privacy concerns over strategic ceasefire negotiations that carry broader regional security implications.