The Iranian-linked hacking group Handala claims to have breached Passion for a Purpose, a registered charitable organization, alleging it served as a covert front for joint CIA and Mossad operations. The group says it exfiltrated over 639,000 internal documents. As of publication, no independent cybersecurity firm or Western intelligence agency has verified the authenticity of the leaked material.
What Happened
Handala, an Iranian-aligned threat actor with a multi-year history of targeting Israeli and American institutions, announced the breach on 22 May 2026. The group positions itself as a politically motivated resistance actor rather than a financially driven criminal enterprise, and its disclosures consistently align with Iranian state messaging.
According to Handala's public statements, the operation targeted the servers of Passion for a Purpose, which the group alleges functioned as a logistical, financial, and communications backbone for Israeli intelligence. The group claims the charity was used to channel funds, coordinate covert meetings, and maintain operational cover for field assets across multiple jurisdictions.
The timing of the disclosure coincides with active military confrontation between Iran, Israel, and the United States, a context that materially shapes how the data dump should be interpreted.
What Was Taken
Handala claims the archive contains approximately 639,000 documents, including:
- Confidential contracts between the charity and undisclosed counterparties
- Financial transaction records and internal accounting data
- Donor identity and contribution records
- Records of alleged clandestine meetings
- Internal correspondence the group attributes to intelligence-linked individuals
The volume and category mix are consistent with a full email and document store exfiltration rather than a targeted pull. However, none of the data has been independently authenticated, and selective release or insertion of fabricated material cannot be ruled out.
Why It Matters
This incident illustrates the operational maturity of state-aligned hack and leak campaigns as instruments of information warfare. Even if a portion of the leaked material is authentic, the strategic value to the releasing actor lies in the framing, not the raw data. Three scenarios remain open: fully genuine documents, partially genuine documents with fabricated insertions, or genuine documents stripped of context that would alter their meaning.
For defenders, the incident reinforces several points. NGOs, charities, and humanitarian-adjacent organizations remain attractive soft targets for both intelligence collection and narrative operations. They typically operate with limited security budgets, hold sensitive donor and beneficiary data, and carry reputational weight that adversaries can exploit. The conflation of genuine charitable work with alleged intelligence cover, whether true or fabricated, creates lasting reputational damage regardless of the underlying facts.
The Attack Technique
Handala has not published technical details of the intrusion. Based on the group's prior tradecraft in publicly documented incidents, its typical access vectors have included credential theft via phishing, exploitation of internet-facing applications, and abuse of weak remote access configurations. The group has previously demonstrated capability for bulk email and file system exfiltration, followed by staged public releases timed for maximum political impact.
No indicators of compromise tied to this specific intrusion have been released by Passion for a Purpose, by any incident response firm, or by national CERTs at the time of publication.
What Organizations Should Do
- Treat the leaked dataset as potentially weaponized. Analysts reviewing the material should assume the corpus may contain selectively curated, altered, or fabricated documents designed to support a predetermined narrative.
- NGOs and charities with international operations should review identity and access management on email, file storage, and finance systems, and enforce phishing-resistant MFA across all administrative accounts.
- Audit external-facing infrastructure for unpatched applications, exposed admin interfaces, and legacy VPN appliances that align with Iranian threat actor targeting patterns.
- Implement egress monitoring and data loss detection capable of flagging anomalous bulk transfers, particularly to file-sharing services and Tor exit relays.
- Establish a pre-approved crisis communications plan covering hack and leak scenarios, including legal review of any internal acknowledgment of leaked material's authenticity.
- Coordinate with national cyber authorities and sector ISACs before publicly engaging with the leaked content, as premature confirmation or denial can amplify the operation's impact.