Over the last two days, an Iranian hacker group called Handala has used X to threaten the West with cyberattacks in retaliation for the U.S. and Israeli missile strikes. But it’s been relying on American technology, from Elon Musk’s Starlink, to stay online.

The crew has been using Starlink satellite internet since at least mid-January, when Iran shut down its internet over concerns of foreign cyberattacks on its networks, according to analysis from Israeli cybersecurity company Check Point. Gil Messing, chief of staff at Check Point, confirmed the company’s data shows the group continued to use Starlink until at least February 28, the day of the strikes, and he believes Handala continues to use it today.

“They’re the most notorious hacking group the regime uses.” Gil Messing, chief of staff at Check Point

“They’re the most notorious hacking group the regime uses.”

Numerous cyber experts told Forbes Handala is either operated or directed by Iran’s Ministry of Intelligence and Security (MOIS). It is one of a number of groups operating under the guise of hacktivism that are actually linked to the government, they said. Most recently, Handala claimed successful breaches of senior Israeli politicians’ personal data, which it leaked online.

“They’re the most notorious hacking group the regime uses,” says Messing. He says he’d contacted Starlink to inform the company about hackers’ use of its tech, but he’d not received a response. SpaceX did not respond to Forbes’ comment request.

Starlink terminals, which provide satellite internet access, are prohibited from use in Iran, both by the regime and because of American sanctions. But as many as 30,000 are operational in the country, according to Holistic Resilience, a nonprofit trying to keep Iranians online. They’re smuggled into the country thanks to a thriving black market, driven by demand for free, uncensored internet. Reports last month suggested that the Trump administration has helped smuggle Starlink tech into Iran, in large part to allow protestors to broadcast what is happening in Tehran to the outside world. But encouraging Starlink use in the country appears to have allowed anti-American groups like Handala to benefit too.

In recent days, Handala has used another Elon Musk platform, X, to tweet its support for Iran and claim successful hacks into Jordan’s fuel infrastructure and unspecified oil and gas sector businesses. Forbes could not verify the efficacy of those attacks.

On Sunday, the day after the strikes, Handala wrote on X, “Those who started the fire will hear the echo of our response in their own skies tonight. Our patience has reached its end, and our answer will be as decisive as history itself.”

Former Israeli intelligence staffer Sanaz Yashar, now cofounder and CEO at cyber company Zafran, said that Handala’s continued operation indicates that missiles aren’t an effective way to shut down cyber operations. “It can work temporarily, but they will come back,” she tells Forbes, noting that the same thing played out with Hamas’ hackers.

Given Handala’s ties to Iranian intelligence, the group’s premium X account, which costs $8 monthly, could pose a problem for Musk. MOIS is under U.S. sanctions, so it’s illegal for an American company to do business with the agency. Handala is not the only Iranian government-linked group with a premium account: Last month, the Tech Transparency Project, a nonprofit focused on big tech accountability, released a report showing how Iranian leaders like the head of its judiciary, and media entities like state-run TV station Al-Alam, had bought premium accounts on X. X did not respond to requests for comment at the time of publication.

Following the missile strikes this weekend, both sides launched cyberattacks. Fatimiyoun Electronic Team, another hacktivist group tied to MOIS, tried to infect Israeli computers with “wiper” malware aimed at erasing data, according to analysis from Flashpoint, an American cybersecurity research company.

BadeSaba, an Iranian prayer and calendar app used by over 5 million, was also breached. Hackers broadcasted messages over the app, instructing members of the Iranian Revolutionary Guard Corps to surrender, and providing coordinates for “safe zones” for anti-regime protesters.

© Forbes