- Gambit Security links the March 2026 breach of the Los Angeles transit system to Iranian state-sponsored actors, not hacktivists, citing forensic evidence linked to previous campaigns.
- The attackers stole approximately 700 GB of emails, backups and internal data, and Minab’s pro-Iran group Ababil claimed responsibility despite indications that it is a front for Tehran.
- Analysts note that this fits a broader pattern of fake hacktivist groups like Handala being used by Iran to mask destructive operations and state-directed cyber espionage.
The March 2026 cyberattack on the Los Angeles transit system was not the work of “hacktivists,” but rather Iranian state-sponsored threat actors, after experts at Gambit Security claimed to have found evidence connecting the breach to the government in Tehran.
Two months ago, the Los Angeles County Metropolitan Transportation Authority (LACMTA) detected unauthorized activity on its internal network and shut down portions of its computer systems to contain the breach. The attack disrupted some customer services, including arrival information screens and TAP card top-up systems, although trains and buses continued to operate as normal.
Some time later, a pro-Iran hacking group calling itself Ababil de Minab claimed responsibility for the breach, saying they stole hundreds of gigabytes of internal data from the transit agency. Gambit now claims that the attackers made off with 700GB of emails, backups and other data, after finding the stolen files exposed online.
Who are Ababil of Minab?
Investigators also said they followed the evidence trail to a server that had previously been seen used in other Iranian state-sponsored hacking campaigns.
According to PakGazette, many cybersecurity researchers suspected that the LACMTA attack was the work of the Iranians. Eyal Sela, director of threat intelligence at Gambit, said the company’s research now adds forensic evidence to support these claims.
Minab’s Ababil is a lesser-known group that first emerged a few weeks after the LACMTA incident. The name refers to the US airstrike on an Iranian school that occurred at the beginning of the latest conflict between the United States, Israel and Iran, in which 175 people, mostly children, were killed.
In its article, TechCrunch said that if Gambit’s assumptions are correct, Minab’s Ababil would be the “latest in a series of fake hacktivist groups working for the Iranian government.” Before this group was Handala, who hit Stryker and wiped thousands of company systems and employee devices.
Through TechCrunch
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
