The Department of Justice (DOJ), in a coordinated effort with the Federal Bureau of Investigation (FBI), recently announced the seizure of four internet domains allegedly linked to Iran’s Ministry of Intelligence and Security (MOIS). This action, announced on March 20, 2026, represents a significant move against state-sponsored cyber operations and online threats emanating from Tehran, targeting journalists, critics, and international adversaries.
The seized domains—Justicehomeland[.]org, Handala-Hack[.]to, Karmabelow80[.]org, and Handala-Redwanted[.]to—were reportedly integral to a broader campaign of cyberattacks and psychological operations. According to investigators, these sites served multiple functions, including claiming responsibility for malware attacks, disseminating stolen information, and issuing explicit online threats. Officials describe the network as a coordinated component of Iranian cyber campaigns, specifically designed to intimidate individuals and disrupt communities, including Israeli civilians and Iranian dissidents living abroad.
Attorney General Pam Bondi underscored the critical national security implications of these operations. "Terrorist propaganda online can incite real-world violence," Bondi stated. "Thanks to our National Security Division and the U.S. Attorney’s Office for the District of Maryland, this network of Iranian-backed sites will no longer broadcast anti-American hate." Her comments highlight the perceived direct link between online incitement and potential real-world repercussions, framing the seizures as a preventative measure against such violence.
FBI Director Kash Patel emphasized the direct impact of the seizures on Iran’s operational capabilities. "Iran thought they could hide behind fake websites and keyboard threats to terrorize Americans and silence dissidents," Patel remarked. "We took down four of their operation’s pillars and we’re not done." This statement signals an ongoing commitment from federal authorities to dismantle similar networks and hold perpetrators accountable.
Court filings provided detailed evidence of the domains' malicious activities. The Handala-Hack domains, for instance, were found to have posted personally identifiable information (PII) belonging to approximately 190 members of the Israeli Defense Forces and government. These postings were allegedly accompanied by threatening messages, conveying that targets’ locations were known and explicitly urging violent retaliation. Furthermore, investigators linked these sites to emails that sent death threats to Iranian dissidents and journalists globally, often referencing financial bounties and criminal affiliates prepared to carry out attacks.
The domains Justicehomeland[.]org and Karmabelow80[.]org were identified as being associated with a separate hacktivist network utilized by MOIS. A notable incident cited in reports involved Justicehomeland[.]org, which in 2022 leaked sensitive Albanian government documents. This cyberattack occurred after Albania publicly supported the Iranian dissident group Mujahedeen e-Khalq (MEK), illustrating a consistent pattern of Iran exploiting online platforms to influence foreign policy decisions and intimidate its critics internationally.
Analysts indicate that Iran has increasingly relied on a multifaceted approach to achieve its geopolitical objectives, combining state-backed cyber units with proxy actors. These operations frequently involve targeting Western infrastructure, private companies, and critical industries. Such cyber campaigns often integrate malware attacks with propaganda and direct threats, aiming to amplify fear and coerce specific actions during periods of elevated political tension, particularly amidst U.S.–Iran disputes. The operations are designed not just to disrupt but to sow discord and exert psychological pressure.
In parallel with these enforcement actions, the DOJ’s Rewards for Justice program continues to offer substantial incentives for information. The program is currently offering up to $10 million for information leading to the identification of individuals acting on behalf of foreign governments who engage in malicious cyber activities against U.S. critical infrastructure. This initiative underscores the broad strategy employed by U.S. authorities to counter state-sponsored cyber aggression, combining proactive disruption with intelligence gathering.
Federal authorities, including the FBI’s Baltimore Field Office and Cyber Division, have affirmed that investigations are ongoing. They warn that state-sponsored online threats remain a persistent and evolving risk to national and allied security. The coordinated domain seizures, according to the DOJ and its law enforcement partners, signal a proactive and robust stance against cyber aggression and online intimidation campaigns. While these four specific sites have been disabled, officials reiterate that broader efforts will continue to identify, disrupt, and hold accountable those who exploit cyberspace to threaten individuals and undermine democratic institutions.
