U.S. service members stationed in Bahrain were directly targeted this week in a coordinated intimidation campaign that blended cyber intrusion, psychological pressure, and doxxing threats—highlighting a growing shift in how adversaries are engaging U.S. personnel overseas.
According to Stars and Stripes, service members at Naval Support Activity Bahrain—home to U.S. Naval Forces Central Command—began receiving WhatsApp messages on their personal phones Monday warning that they were being monitored and could be targeted by missiles and drones. The messages, signed by a group calling itself “Handala,” included links to the group’s website and appeared to originate from a Bahraini phone number tied to a local business, suggesting the number may have been spoofed or compromised.
“Your identities are fully known to our missile units, and every move you make is under our surveillance,” read the text. “Very soon, you will be targeted by our Shahed drones and Kheibar and Ghadeer missiles. We will deal with you, the terrorists whose hands are stained with the blood of the Minab schoolchildren. We suggest you call your families now and say your final goodbyes.”
The following day, the group escalated its claims, posting on Telegram that it had obtained and published personal information for more than 2,300 U.S. Marines deployed in the Persian Gulf.
A Campaign Moving Closer to U.S. Forces
The Bahrain incident marks a notable evolution in Handala’s activity. What began as a hacktivist effort focused largely on Israeli targets has increasingly shifted toward U.S. institutions and now, directly, U.S. military personnel.
Stars and Stripes reported that similar threatening messages were also sent to individuals in Israel, with authorities linking them to the same group. The outlet noted that the U.S. Navy recently warned personnel about an uptick in social engineering efforts tied to the ongoing conflict with Iran, urging sailors to secure personal devices and avoid suspicious links.
The advisory emphasized that adversaries are attempting to influence behavior and gather access through phishing and targeted messaging campaigns.
Who Is “Handala”?
Handala emerged in December 2023, launching coordinated activity across Telegram and X shortly after the October 7 Hamas attack. The group’s name and imagery reference a well-known Palestinian symbol, positioning itself within a broader pro-Palestinian hacktivist ecosystem.
Early messaging from the group referenced Hamas directly before shifting toward broader anti-Israel and anti-U.S. narratives. Since then, its operations have grown in both scale and sophistication.
According to reporting from The Jerusalem Post, the group has been linked to widespread messaging campaigns targeting Israelis across the country on Monday.
Israelis across the country on Monday received similar messages that authorities believed were linked to the same organization.
Escalating Cyber Operations
By early 2026, Handala had moved beyond messaging campaigns into large-scale cyber operations.
In March, the group claimed responsibility for a disruptive attack on Stryker Corporation, a major U.S. medical device manufacturer with significant Department of Defense contracts. The company later disclosed to the U.S. Securities and Exchange Commission (SEC) that it experienced widespread operational disruption, though specific attribution details remain limited.
That same month, the group breached the personal email account of FBI Director Kash Patel, publishing hundreds of emails and images online. While the FBI confirmed the breach, it stated the materials were historical and did not involve classified or government systems.
The incident followed a U.S. government action to seize several domains linked to Handala and announce a $10 million reward for information on its members, suggesting a cycle of action and retaliation between the group and U.S. authorities.
A Broader Shift in the Threat Environment
The targeting of U.S. service members’ personal devices underscores a broader trend: adversaries are increasingly bypassing hardened military networks and instead going after individuals directly.
This approach leverages widely used platforms like WhatsApp and personal email accounts, where security controls are more limited and response mechanisms are less centralized.
The Navy’s recent warning advising all sailors to lock down their phones and social media accounts reflects growing concern that these campaigns are designed not only to collect information but also to create stress, disrupt operations, and influence behavior.
What It Means Moving Forward
The Bahrain incident highlights how cyber-enabled influence operations are evolving alongside geopolitical tensions. Rather than relying solely on technical disruption, groups like Handala are combining access, exposure, and intimidation to expand their reach.
For U.S. personnel operating overseas, the line between cyber threat and physical risk messaging is becoming increasingly blurred—delivered not through official channels, but directly to the devices in their pockets.
As enforcement actions and countermeasures continue, the pattern suggests these types of campaigns are likely to persist, adapting to both technological defenses and the broader conflict environment.
