Tech
May 26, 20261
50%
Iranian-backed hackers blamed for Los Angeles transit system breach
Israeli cybersecurity firm Gambit Security has attributed a March breach of Los Angeles's transit authority to Iranian-backed hackers working for Iran's Ministry of Intelligence and State Security, contradicting claims by the hacktivist group Ababil of Minab. The assessment adds to concerns about state-sponsored Iranian cyber operations targeting critical U.S. infrastructure.
Quick Facts
Who
Gambit Security
What
Breach of Los Angeles transit system
When
March 2026 (breach)
Where
Los Angeles
- Breach of Los Angeles transit system
- Data theft and deletion from LACMTA systems
- Gambit Security report attributing breach to Iranian government
- Attribution of Ababil of Minab to MOIS
- FBI seizure of Handala websites
Security researchers have attributed a March breach of the Los Angeles County Metropolitan Transportation Authority (LACMTA) to Iranian-backed hackers working for Iran's Ministry of Intelligence and State Security (MOIS). Israeli cybersecurity startup Gambit Security released a report on Tuesday identifying the attackers behind the incident, which took weeks to recover from.
A hacktivist group calling itself Ababil of Minab initially claimed responsibility for the breach, stating they had stolen and deleted data from LACMTA systems. However, Gambit Security disputed this claim, asserting that the group is not an independent hacktivist crew but rather operates on behalf of the Iranian government. The group's name references a U.S. air strike on an Iranian school in Minab that killed more than 175 people, mostly children.
Gambit based its assessment on forensic evidence linking the group to previous Iran-linked campaigns, as well as activity attributed to MOIS by Israel's National Cyber Directorate. The security firm also investigated other attacks against companies in Israel, Saudi Arabia, and Turkey in reaching its conclusions. If accurate, Ababil of Minab would represent another example of fake hacktivist groups operating under Iranian government direction, following the recent discovery that Handala—another purported hacktivist group that breached medical technology company Stryker earlier this year—was also state-sponsored.
The attribution comes as Iranian-linked hackers have escalated their activities following military strikes by the U.S. and Israel against Iran earlier in 2026. In April, a coalition of U.S. agencies warned that Iranian hackers were actively targeting American critical infrastructure, signaling an intensifying cyber threat from Tehran.
Topics
Why This Matters
This attribution reveals that Iran is using fake hacktivist fronts to obscure state-sponsored cyber operations against U.S. critical infrastructure, making it harder for defenders to identify and respond to threats. Understanding that Ababil of Minab operates under Iranian government direction—not as independent activists—changes the threat calculus for transit agencies and other targets, signaling a sophisticated, coordinated campaign rather than isolated activist incidents. For readers in the transportation, cybersecurity, and government sectors, this demonstrates the escalating risk of Iranian cyber operations tied to geopolitical tensions.