We don’t know exactly how Handala got into Kash Patel’s accounts. I’m not going to claim we do.
But from years of responding to MOIS-linked intrusions, the answer is almost never what people expect. No zero-day. No exotic iMessage exploit. No nation-state malware. In case after case, the access was simpler: credential dumps, stealer logs, data sitting in breach databases for years. Waiting for someone to query the right name.
So we did.
Step 1: The Right Name
Searching “Kash Patel” in breach databases gets you nowhere. Noise, anti-US content, Telegram channels, nothing useful.
But “Kash Patel” isn’t his legal name.
Wikipedia gives you Kashyap Pramod Patel, born February 25, 1980. FBI Director since 2025. That’s the search that matters.
Step 2: MGM Grand Hotels
Running Kashyap Patel across breach databases, the first significant match is the MGM Grand Hotels breach, carried out by ALPHV/BlackCat and Scattered Spider in 2023, with records indexed in early 2025.
The record:
{
"e": "spiderkash@yahoo.com", ← matches Handala leak
"dob": "1980/02/25", ← matches Wikipedia
"n": "Kashyap Patel", ← matches Wikipedia
...remaining fields redacted
}
Name, DOB, and email all line up. The email matches what Handala published. Hot candidate.
Step 3: The Phone Pivot
The MGM record includes a phone number.
Pivot on the phone. Hit: the Parkmobile breach.
┌─────────────────────────────────────────┐
│ Parkmobile breach record │
├─────────────────────────────────────────┤
│ phone : ██████████ ← same as MGM │
│ email : patelkpp@gmail.com ← │
│ name : Kashyap Patel │
└─────────────────────────────────────────┘
Same phone. Different email: patelkpp@gmail.com. KPP = Kashyap Pramod Patel. Now we have his Gmail.
Step 4: The Post Millennial
Run the Gmail through breach databases. One hit: the Post Millennial breach (2024). Canadian conservative outlet, got hacked. Inside their dump:
Kash_Patel_Records_House_File.csv
A file named after him, from his time on the House Intelligence Committee. Hard to argue with that.
Step 5: Three Accounts, One Identity
Three email accounts in scope, all tied to the same identity through overlapping PII:
Earliest exposure: 2019. Most recent: after he became FBI Director. The passwords across all three share the same root, the same base word, incrementally modified, the way most people update a password they’re not ready to fully change. Out of discretion I won’t publish them. But the pattern is unambiguous: one person, one evolving password family, used across everything.
Step 6: The Stealer Log
The Gmail appears not in a historical breach compilation, but in a stealer log. Look at the file path:
📂 [VE]38.41.5.66.rar
└── 📁 Desktop
└── 📁 combos
└── 📁 ✅ VALID COMBOS
└── 📄 net valid.txt
patelkpp@gmail.com : ████████
“VALID COMBOS” means an operator tested these credentials against live services and got a confirmed hit. Not a historical dump. Someone checked. It worked.
The most recent hit on the Gmail was a darknet .onion site, indexed in April 2025, after his Senate confirmation as FBI Director. His credentials were still circulating in active threat actor channels after he took the job.
What This Tells Us About MOIS
I’m not saying this is how Handala did it. We don’t have visibility into that. He might have also rotated the passwords, hopefully to a randomly generated one. He might have also had MFA or a physical token.
What I can say from responding to previous MOIS-linked intrusions: they don’t need to be clever. The pattern is consistent. The access path wasn’t a technical exploit. It was credentials sitting in breach databases for years. Old passwords. Forgotten accounts. Personal email tied to work identity. The gap between what the adversary needed and what was already available was often zero.
The key to the kingdom was on the floor. They picked it up.
The Gap Nobody Covers
Corporate security has firewalls, EDR, MFA, zero trust. Executives get the full stack at work. Hardened endpoints, monitored accounts, enforced policies.
Then they go home. Same password since 2019. Personal email tied to hotel loyalty programs and parking apps. No policy reaches there. No one is watching.
That’s the gap. For high-value targets, adversaries know exactly where to look.
What to Do on Monday
If you’re a security practitioner, you have a conversation to have. Not about Kash Patel. About your own executives.
What’s sitting in breach databases tied to their name, phone, and personal email? What passwords have been exposed? Which credentials were marked valid in stealer logs?
With consent and scope, you can find out before an adversary does. A breach exposure check on your executive team’s personal digital footprint, with their knowledge and approval, is a legitimate and underused tool. Pair it with a counter-intelligence review of their public digital presence.
The goal isn’t to surveil your executives. It’s to show them what an adversary already sees, and close the gap before someone uses it.
Your executives are only as secure as their least protected personal account.
The exposure here was real. Whether it was used in this intrusion or not, the data was there, in the channels most relevant to this case. That’s enough to start the conversation.
All investigation conducted using publicly available breach data. Sensitive credentials not published.