Pro-Iran Hackers Claim Hits on Stryker and Verifone, Rattling Health Care and Payments

A hacking crew calling itself “Handala Hack” is claiming cyberattacks on two major U.S. companies, medical device giant Stryker and payments terminal maker Verifone, framing the strikes as political retaliation tied to rising tensions among the U.S., Israel, and Iran.

Stryker has acknowledged a worldwide disruption affecting parts of its Microsoft environment but says it has not found evidence of ransomware. Verifone, meanwhile, flatly denies any service outage. The gap between the hackers’ loud claims and the companies’ cautious statements underscores a familiar reality in modern cyber conflict: the message can matter as much as the damage.

Hackers point to Stryker’s Israel ties, citing a 2019 acquisition

In posts circulating on social media, Handala Hack said it targeted Stryker because of alleged links to Israel, pointing to Stryker’s 2019 acquisition of OrthoSpace, an Israeli company. That kind of justification is standard in the hacktivist world, where attackers try to sell an operation as activism rather than a cash grab.

The goal is a simple narrative that spreads fast, even when technical details are thin. In these campaigns, a clear political storyline can be as valuable as proof of access.

Stryker confirms a global Microsoft-related disruption, but no ransomware detected

Stryker’s public messaging has centered on two points: the disruption is global, and the company has not detected ransomware or other malware. That doesn’t mean the incident is minor. Attacks can cause serious operational pain without deploying ransomware, through stolen credentials, hijacked admin tools, or targeted sabotage of internal services.

In health care, even partial disruption can ripple quickly. Hospitals and clinics don’t need a total blackout to feel the impact, delayed shipments, slower support, and manual workarounds can grind daily operations down.

One detail that drew attention: employees reportedly saw Handala’s logo appear on login pages, a kind of digital “tag” meant to intimidate and force a public reaction. Separately, calls to Stryker’s headquarters reportedly reached a recorded message referencing an emergency in the building, an indicator, at minimum, of a company in crisis-management mode.

Investors also reacted. Stryker shares fell more than 3% after early reports, a reminder that cyber incidents can carry real costs even without a ransom note, lost productivity, forensic work, remediation, and fears about sensitive data exposure. Stryker reported more than $25 billion in revenue in 2025 and operates in 61 countries, leaving little room for uncertainty about continuity.

Data-theft claims swirl, including an unverified “50 terabytes” figure

Handala Hack has claimed it stole massive amounts of data, up to 50 terabytes. That number has not been publicly verified, and such figures are often inflated for effect. But even a much smaller haul can trigger a major crisis if it includes sensitive internal communications, contracts, technical designs, or customer information.

Stryker’s statement that it has not found ransomware reduces one specific risk, mass encryption and extortion, but it doesn’t answer the question many partners care about most: whether data left the network.

Verifone denies any disruption, highlighting a familiar cyber playbook

In the same claim, Handala Hack said it also targeted Verifone, a major provider of payment terminals and related services. Verifone has disputed that anything was interrupted.

This kind of split-screen story is common. Attackers benefit from projecting broad reach, multiple targets, multiple sectors, while companies, especially in payments, have strong incentives to reassure customers quickly. In the payments ecosystem, even the hint of an incident can set off urgent questions from merchants, banks, and integrators about transaction slowdowns, terminal integrity, or compromised updates.

A denial of “no outage” also doesn’t necessarily mean “nothing happened.” A company could be dealing with a blocked intrusion attempt, a limited breach, or an incident confined to non-critical systems while teams quietly comb through logs and privileged-account activity. In the first 24 to 72 hours, the priority is often confirming what didn’t change before describing what did.

Why geopolitics is driving the narrative, and possibly the targeting

The hackers are explicitly tying their claims to the broader U.S.-Israel-Iran confrontation. U.S. intelligence officials have warned in recent months that geopolitical escalation can bring cyber retaliation, often aimed at high-visibility economic targets rather than military ones.

Handala’s messaging linked the Stryker attack to a widely publicized incident in Iran that Iranian state media said killed at least 168 children after a strike hit a school, an event the Pentagon has said it is reviewing. Whether or not the hackers’ framing holds up, the strategy is clear: connect a highly emotional public narrative to a Western corporate target.

Security experts who track these campaigns often describe them as “asymmetric” operations, relatively low-cost actions that can create outsized disruption, uncertainty, and headlines. Some analysts have suggested the activity looks more opportunistic, potentially leveraging known vulnerabilities, than a demonstration of top-tier state capability. But the signaling effect can still be powerful.

For hospitals and partners, the hardest call is whether to cut ties, or keep systems connected

For Stryker’s customers, especially hospitals, the immediate question is operational: do you isolate the vendor’s connections until you know more, or keep them online to avoid losing support, updates, ordering, and maintenance? That decision can carry real-world consequences in clinical settings, where delays and manual processes can quickly pile up.

So far, neither the FBI nor the Cybersecurity and Infrastructure Security Agency (CISA), the federal government’s lead cyber defense agency, has offered immediate public comment in the reporting cited. That silence is typical early on, but it also leaves companies and attackers battling for control of the narrative in the crucial first hours.

What comes next will likely look familiar: tighter network segmentation, stricter controls on privileged access, deeper scrutiny of vendors, faster patching, and more aggressive recovery planning. The larger implication is harder to shake, companies far from the battlefield can still become symbolic targets, and the disruption can be painfully concrete.

Key takeaways

Handala Hack claims it hit Stryker and Verifone as pro-Iran retaliation tied to geopolitical tensions. Stryker reports a global Microsoft-environment disruption but says it hasn’t found ransomware. Verifone denies any outage, illustrating the frequent gap between hacker claims and observable impact. The episode fits a broader pattern of asymmetric cyber signaling, where uncertainty and headlines are part of the weapon. For hospitals and other partners, continuity decisions, whether to isolate a vendor or stay connected, can be as consequential as the breach itself.