In December 2025, the hacktivist group Handala claimed it had carried out a major cyber-espionage operation against senior Israeli officials, alleging full access to their mobile phones and private communications. A detailed technical analysis, however, shows that the intrusion was limited to Telegram accounts and did not involve full device compromise.

Inflated Claims of a Phone Hack

Handala publicly stated that it had breached the personal phone of former Israeli prime minister Naftali Bennett, releasing what it described as thousands of chat conversations, contacts, images, and videos. The group later made similar claims regarding Tzachi Braverman, the Chief of Staff to Prime Minister Benjamin Netanyahu.

A closer technical review of the leaked material revealed inconsistencies with a full device extraction. The majority of the “chat data” consisted of automatically generated contact entries synced by Telegram rather than actual conversations. Only a small fraction of chats contained real message content, indicating access to a cloud-based messaging account, not the underlying smartphone.

What Was Actually Compromised

The exposed data aligns with information stored and synchronized by Telegram when a user logs in from a new session. This includes:

• Contact lists synced from the account
• Metadata associated with chats
• Limited message history from cloud-stored conversations

There was no evidence of operating-system artifacts, application data from other apps, system logs, or file structures that would normally appear in a full phone compromise. This strongly suggests that attackers gained account-level access rather than physical or remote control of the devices.

Likely Attack Techniques

The operation appears to have relied on well-known Telegram takeover techniques rather than advanced mobile malware. The most likely methods include:

• One-Time Password (OTP) interception, potentially through SIM swapping or telecom signaling abuse
• Social engineering, tricking targets or people close to them into revealing verification codes
• Phishing, including fake Telegram login pages or malicious QR-code authentication
• Session hijacking via Telegram Desktop, where the locally stored authentication folder (“tdata”) can be copied and reused to gain account access without re-authentication

If session files are exposed through compromised laptops, shared computers, or insecure cloud backups, an attacker can fully control a Telegram account without triggering additional security warnings.

Why Telegram Accounts Are High-Value Targets

Telegram’s default architecture stores most conversations in the cloud and syncs them across devices. While this enables convenience and multi-device access, it also increases risk if an account session is hijacked. End-to-end encryption is only enabled in Telegram’s “Secret Chats,” which are not cloud-synced and remain device-specific.

Another contributing factor is that Telegram’s additional cloud password is optional. If users do not enable it, possession of a valid OTP or session token may be enough to take over the account entirely.

Handala’s Broader Activity

Handala emerged in late 2023 and has since been active across multiple underground forums, websites, and Telegram channels. The group blends hacktivism with psychological and information operations, often exaggerating the scale of its intrusions to maximize media attention and political impact. Its activities focus heavily on Israeli targets and align ideologically with pro-Iranian and pro-Palestinian narratives.

Key Takeaways

Despite dramatic public claims, the incident did not involve full phone hacking. Instead, it highlights how messaging-account compromise alone can expose sensitive contact networks and communications. For high-profile individuals, such access can still yield valuable intelligence even without device-level intrusion.

The case underscores the importance of:

• Enabling Telegram’s additional cloud password
• Monitoring and terminating unknown active sessions
• Protecting desktop session files and cloud backups
• Treating messaging accounts as critical security assets

The Handala incident serves as a reminder that in modern cyber-operations, account takeover can be just as damaging as malware-based device compromise.