Kash Patel's Personal Gmail Breach Triggers $10m Taxpayer-Funded Reward Offer

The breach of FBI Director Kash Patel's personal Gmail account by an Iran-linked hacking group has prompted the US State Department's Rewards for Justice programme to offer up to $10 million (approximately £7.8 million) for information leading to the identification of members of the Handala Hack Team, the group that publicly claimed responsibility for the attack on 28 March 2026.

The FBI confirmed the breach in a statement, saying it is 'aware of malicious actors targeting Director Patel's personal email information' and that it has 'taken all necessary steps to mitigate potential risks associated with this activity.' The bureau also stated that 'the information in question is historical in nature and involves no government information.' A Justice Department official separately confirmed the breach to Reuters, which was the first outlet to report it.

300 Emails, Old Photos, and a Resume

Handala published a sample of more than 300 emails alongside photographs of Patel, which appear to show a mix of personal and work correspondence dating between 2010 and 2019. The leaked materials also included what appeared to be Patel's personal resume, complete with his private Gmail address. The hacked materials, totalling around 800 megabytes, were published on the group's website and include photos as well as emails primarily from the 2010s.

At least some of the leaked emails were independently verified as authentic through cryptographic signatures within the message headers. In some cases, Patel appears to have sent emails from his FBI email address to his personal Gmail account, and emails sent from Patel's FBI account also appeared to be authentic.

A Deliberate Response to Domain Seizures

Handala made clear the breach was not opportunistic. In an online post, the group referenced the US government's seizure of its domains and said, 'We decided to respond to this ridiculous show in a way that will be remembered forever.' The Justice Department had seized four web domains linked to Handala just days prior, accusing the group of conducting psychological operations and acting as a front for Iran's Ministry of Intelligence and Security.

The domain used to carry out the hack against Patel was registered the same day the Justice Department announced the seizure of those four domains, on 19 March. Cybersecurity experts noted that the timing and content of the leak suggested Iran had been holding the material in reserve. Alex Orleans, head of threat intelligence at Sublime Security, said it 'looks like something they had sitting around,' adding that 'Iranian actors sit on all kinds of odds and ends for a rainy day.'

Not the First Time Patel Was Targeted

This breach did not come entirely without warning. News reports from December 2024, before Patel was confirmed as director, said that Patel had been informed by the FBI that he had been targeted as part of an Iranian hack. The latest incident appears to be a follow-through on that earlier intrusion, with Iran choosing now — with the US-Iran conflict ongoing — to make the stolen files public.

Gil Messing, chief of staff at Israeli cybersecurity company Check Point, said the hack-and-leak operation against Patel was part of Iran's strategy to embarrass US officials and 'make them feel vulnerable,' adding that the Iranians are 'firing whatever they have.'

The $10 million (£7.8 million) bounty now on the table reflects the broader stakes of this incident, not just for Patel personally, but for US national security infrastructure. Handala is not a fringe actor. Since US and Israeli air strikes on Iran began in February 2026, the group has ramped up its operations, most notably claiming responsibility for a destructive attack against medical tech giant Stryker that wiped tens of thousands of employee devices.

The group has also published personal details of individuals allegedly affiliated with the Israeli Defence Forces. Orleans noted that Iranian actors routinely retain compromised material for strategic deployment — a pattern this incident fits precisely.