The 19,000 files: Iranian hackers claim years-long access to former IDF chief’s phone
The Iranian-linked hacking group Handala says it obtained 19,000 files belonging to Lt. Gen. Herzi Halevi in an operation targeting Israel’s top military leadership.
An Iranian-linked hacking group has claimed to have infiltrated the personal phone of former Israeli military chief Lt. Gen. Herzi Halevi, in what, if verified, would represent one of the most extensive breaches involving a senior figure in Israel’s security establishment.
The group, calling itself Handala, said on Thursday that it had maintained covert access to Halevi’s device over a period of years, extracting roughly 19,000 files. According to its statement, the material includes images from high-level meetings, strategic maps and personal data originating from Halevi’s private life.
The hackers also asserted that their archive goes beyond documents, containing what they described as live visual recordings from sensitive operational environments, including “crisis rooms” and other restricted facilities. They further claimed to possess thousands of unredacted images of senior officers and personnel.
While the full scope of the breach remains unverified, initial material released by the group appears to include authentic elements. Samples published online feature images and videos from Halevi’s tenure as chief of staff, including visits to air force installations and participation in senior-level discussions. The archive also appears to extend into his personal sphere, with photographs and videos from family settings, as well as images of identification documents.
The timing of the disclosure, one day after the announcement of a ceasefire by U.S. President Donald Trump, has drawn attention within Israel’s defense community. The release is widely being interpreted not only as an intelligence operation but as part of a broader psychological campaign aimed at undermining confidence among senior military leadership.
Among the materials circulated were clips described as deliberately embarrassing, including footage from informal family moments. The messaging accompanying the release suggested an effort to project persistent access to Israel’s inner command structures.
The incident is not isolated. It follows a series of cyber intrusions targeting senior Israeli officials, including former defense minister Yoav Gallant, former prime minister Naftali Bennett, Benny Gantz and Tzachi Braverman. In each case, personal devices or accounts were reportedly compromised, raising recurring questions about vulnerabilities at the highest levels of government.
What distinguishes the current case, if accurate, is the scale. A repository of tens of thousands of files could offer not just isolated fragments of information but a broader, more structured intelligence picture.
Security experts note that such breaches do not necessarily require penetration of classified military networks, which are typically isolated from the public internet. Instead, attackers often rely on more indirect methods, including social engineering and the exploitation of personal cloud services.
Groups such as Handala have a history of using spear-phishing techniques, carefully tailored messages designed to deceive specific individuals into revealing credentials or installing malicious software. While the method itself is decades old, it has evolved significantly, with the use of artificial intelligence enabling increasingly convincing impersonation and targeting.
Once access is obtained to a personal device or to accounts such as cloud storage services, the scope of exposure can expand rapidly. Automatically backed-up data, ranging from personal photos to work-related documents, may become accessible without requiring direct intrusion into secured systems.
The group’s claim that access was maintained over several years suggests the possible use of persistent tools, such as hidden backdoors embedded in legitimate applications or software updates.
Israeli defense authorities have not confirmed the authenticity of the full dataset, and the military has yet to issue an official response. Even so, the release itself, regardless of its precise origins, may already have achieved part of its intended effect.
