The U.S. State Department has reissued a $10 million reward through its Rewards for Justice program for information on Iranian cyber actors responsible for attacks against U.S. critical infrastructure and government targets. The announcement came just hours after the FBI confirmed that Iranian hackers had successfully accessed the personal email account of FBI Director Kash Patel, a significant escalation in Iran's targeting of senior U.S. government officials.
The FBI Director's Email Breach
In a disclosure that sent shockwaves through the U.S. national security community, the Federal Bureau of Investigation confirmed that Iranian threat actors successfully compromised the personal email inbox of FBI Director Kash Patel. The breach represents one of the most sensitive personal-level compromises of a sitting U.S. intelligence community leader in recent memory.
Key details of the incident:
- Target: FBI Director Kash Patel's personal (non-government) email account
- Actor: Iranian cyber threat group (attribution confirmed by FBI)
- Method: Not fully disclosed; likely spear-phishing or credential stuffing against personal account
- Data accessed: Contents of personal email correspondence (extent not yet disclosed)
- Status: FBI investigating; CISA notified
The breach of a personal email account — rather than a government .gov account — highlights a persistent vulnerability: senior officials often have less security hardening on personal accounts than on official government infrastructure, yet personal accounts may contain sensitive personal and professional communications.
Rewards for Justice: The $10 Million Offer
The Rewards for Justice (RFJ) program is administered by the State Department's Diplomatic Security Service and is designed to generate actionable intelligence on adversary cyber actors by incentivizing informants worldwide. The reissuance of the $10 million offer specifically targets Iranian state-sponsored cyber operators responsible for:
| Activity | Description |
|---|---|
| Critical infrastructure attacks | Targeting U.S. power grids, water systems, financial networks |
| Government network intrusions | Breaches of U.S. federal agency systems |
| Ransomware coordination | Iranian groups providing infrastructure to ransomware actors |
| Espionage campaigns | Intelligence collection against U.S. officials and defense contractors |
| Election interference | Documented Iranian operations targeting 2024-2026 electoral processes |
The offer covers several Iranian-linked threat actors operating under the umbrella of Iranian government-backed cyber operations, including groups that have previously been indicted by the U.S. Department of Justice.
Iran's Escalating Cyber Campaign Against the U.S.
The Patel email breach and the reward reissuance come in the context of a sustained and escalating Iranian cyber campaign:
Recent Iranian Cyber Operations (2025-2026)
Roar of Lion (February 2026) — A coordinated Iranian cyberattack disrupted approximately 4% of Iranian internet traffic (in a campaign with international components) and targeted infrastructure in multiple Middle Eastern countries allied with the United States.
Stryker Wiper Attack — Iranian-linked hackers deployed a wiper attack that destroyed tens of thousands of devices across targeted organizations without requiring any malware installation, leveraging legitimate administrative tooling.
Director Patel Email Breach — The confirmed compromise of the FBI Director's personal email represents a significant intelligence collection operation.
TA446 DarkSword Campaign — Iranian-linked threat actor TA446 deployed an iOS exploit kit in targeted spear-phishing campaigns against U.S. and allied government officials.
Iranian Threat Actor Taxonomy
The U.S. government and cybersecurity researchers track multiple Iranian APT clusters:
| Alias | Also Known As | Primary Focus |
|---|---|---|
| APT33 | Elfin, Refined Kitten | Aerospace, energy, critical infrastructure |
| APT34 | OilRig, Helix Kitten | Government, financial, energy espionage |
| APT35 | Charming Kitten, TA453 | Academic, journalists, government officials |
| APT39 | Chafer | Telecommunications, travel industry |
| Sandstorm | IRGC-affiliated | Destructive attacks, wiper deployment |
Why Personal Email Accounts Are High-Value Targets
The Patel breach illustrates why adversaries specifically target personal accounts of senior officials:
- Lower security baseline — Personal Gmail, Yahoo, or Outlook accounts lack enterprise security controls like conditional access, DLP, and advanced threat protection
- Sensitive personal communications — Officials often discuss matters informally on personal accounts that wouldn't appear in official channels
- Contact discovery — Address books and email threads reveal the full scope of an official's professional network
- Cross-contamination — Personal devices that access both personal and work email can serve as a pivot point to classified networks
- Blackmail material — Personal correspondence can be leveraged for coercion or intelligence operations
Recommendations for High-Value Individuals
Senior government officials, executives, and other high-value targets should treat personal accounts with the same rigor as official accounts:
Account Hardening
1. ENABLE hardware security keys (YubiKey) for all personal accounts
- Gmail: Security → 2-Step Verification → Security Key
- Microsoft: Security → Advanced Security Options → Security Key
2. USE unique, long passwords from a password manager
- Never reuse passwords between work and personal accounts
3. ENABLE advanced protection programs
- Google Advanced Protection Program
- Microsoft Account Guard
4. AUDIT connected apps and OAuth grants regularly
- Remove any app that no longer needs access
- Review "Account activity" for unfamiliar sign-ins
Operational Security
- Assume all personal communications may be read by nation-state adversaries
- Never discuss classified or sensitive work matters on personal accounts
- Report suspicious emails to security teams — even on personal accounts
- Use Signal or other end-to-end encrypted platforms for sensitive personal communications
Geopolitical Context
The reward reissuance and the FBI Director breach come amid heightened U.S.-Iran tensions over nuclear negotiations, sanctions policy, and proxy conflicts in the Middle East. Iran has historically escalated cyber operations in periods of diplomatic strain, using cyber intrusions as a tool of statecraft to collect intelligence, signal capability, and apply pressure short of kinetic conflict.
The $10 million reward reissuance signals that the U.S. government views Iranian cyber operations as a sufficiently serious threat to warrant public action and international intelligence solicitation, even as diplomatic back-channels remain active.
How to Report Information to Rewards for Justice
The State Department accepts tips through multiple secure channels:
- Website: rewardsforjustice.net
- Tor hidden service: Available via the RFJ website for anonymous submission
- Signal/WhatsApp/Telegram: Published on the RFJ site
- US embassies: Diplomatic security contacts at U.S. embassies worldwide
All reporting channels support anonymous submission, and awards are paid in a method of the tipster's choosing including cryptocurrency.
Conclusion
The combination of the FBI Director's personal email breach and the State Department's $10 million reward reissuance sends a clear message: Iranian cyber operations against the United States are escalating, and the U.S. government is responding with both intelligence collection (rewards program) and direct acknowledgment of the breach's significance. For security professionals, the Patel breach is a reminder that protecting senior officials requires extending security controls beyond enterprise networks to personal accounts and devices.
Source: The Record — March 30, 2026