A technical analysis by KELA Cyber Intelligence Center said posts linked to the Iran-linked group Handala in December 2025 claimed full phone compromises of two senior Israeli officials, but the intrusion was limited to their Telegram accounts and about 1,900 chat entries were published, only roughly 40 of which contained actual messages.
KEY FACTS
- Incident Handala published Telegram account data tied to two officials
- Targets Naftali Bennett and Tzachi Braverman
- Published data about 1,900 chat entries, roughly 40 with messages
- Likely vectors session hijacking, social engineering, and tdata exfiltration
The published materials included contact lists, photos, videos and chat entries attributed to the two accounts. The releases appeared during December 2025 and were posted to platforms used by the actor.
Most chat entries were empty contact cards auto generated by Telegram during synchronization. Only around 40 of the roughly 1,900 entries contained actual messages. Contacts were tied to active Telegram accounts, which points to data originating from Telegram rather than raw device memory.
Probable attack techniques include SIM swap and SS7 interception, multi vector one time password harvesting, phishing pages and malicious QR codes, exfiltration of Telegram Desktop session files from the tdata folder, and unauthorized access to cloud backups.
Telegram defaults such as an optional cloud password and cloud chats that are not end to end encrypted unless users start a secret chat leave gaps in session protection. The incident highlights weaknesses in session management and the need for multi factor authentication and tighter backup controls.
WHY IT MATTERS
Attackers can expose account data without full device compromise. Strengthened session controls, enabled multi factor authentication and careful handling of desktop session files reduce the risk of account takeover for high profile users.