The US State Department is putting up $10 million for anyone who can help identify members of Handala, an Iran-linked hacking group that claims to have compromised FBI drones assigned to secure the 2026 FIFA World Cup. The bounty underscores how seriously Washington is taking the threat, even as questions swirl about whether Handala’s claims are genuine or just very aggressive posturing.

The group, known formally as Handala Hack Team, says it has been monitoring FBI first-person view drones for several months. These are the drones deployed across venues in the US, Canada, and Mexico for the tournament that kicked off around June 11, 2026. Handala has warned authorities to beef up security and issued vaguely threatening messages directed at teams and venues.

Who is Handala and why does the US care this much

Handala first surfaced publicly in late 2023, wrapping itself in pro-Palestinian messaging. But US authorities have assessed that the group is something quite different under the hood: a front for Iran’s Ministry of Intelligence and Security, or MOIS.

The group has been categorized as part of what cybersecurity researchers call the Void Manticore threat cluster. Since its emergence, Handala has been linked to data leaks, wiper malware attacks, and operations targeting both Israeli and US entities.

The $10 million reward isn’t solely about the drone claims. It’s also connected to prior breaches attributed to the group, including a March 2026 hack of FBI Director Kash Patel’s personal email.

How credible are the drone claims

SITE Intelligence Group, which tracks extremist and threat actor communications, has flagged that Handala has not presented verifiable evidence to support its drone access claims. No screenshots of control systems. No leaked telemetry data. No proof-of-concept demonstrations. Just assertions.

That doesn’t mean the claims are false. State-sponsored hackers frequently avoid revealing their exact methods to preserve access for as long as possible. But the absence of evidence does mean the claims sit in a gray zone between credible threat and information warfare.

What this means for crypto and digital security

SITE Intelligence Group found no verifiable links between Handala’s claimed hack and any specific digital assets, tokens, or blockchain activity.

The North Korea playbook is instructive here. Lazarus Group, the DPRK-linked hacking operation, has stolen billions from crypto platforms over the years. Iran’s cyber capabilities are assessed to be less focused on direct crypto theft, at least for now, but the MOIS infrastructure that supports groups like Handala could theoretically pivot toward digital asset targets if geopolitical incentives shift.