Homeland Justice is a state-aligned Iranian hacktivist persona used by the Ministry of Intelligence and Security (MOIS) to conduct disruptive cyberattacks and psychological-operations campaigns, most notably against Albania since 2022. The group has carried out ransomware and wiper attacks, leaked sensitive government data, and repeatedly targeted Albanian institutions – including the e-Albania portal, Tirana municipality, and the Parliament – often in retaliation for Albania’s support of Mujahedeen e-Khalq (MEK). Homeland Justice operates alongside sister personas such as Handala and Karma Below, with similar, if not identical, infrastructure and operators. They are supported by technical reconnaissance groups like HEXANE forming a coordinated pattern of cyber influence and disruption.
The domains justicehomeland.org and karmabelow.org were seized with court-authorization by the US Justice Department in March 2026.

Date founded: 2021/2022
Affiliation: Homeland Justice have been affiliated with MOIS and the IRGC.

Social media handles/websites:

X: @GhymanSarnegouni
Website: justicehomeland.org / JusticeHomeland.info (still live)
Email: [email protected]
Telegram: t.me/boost/justice_homeland / t.me/HomelandJustice / t.me/homelandjusticeru / t.me/JusticeHomeland1

Previous operations:
May 2021 – Considered as the first accesses that threat actors (later associated with Homeland Justice) gained access to the Albanian Government networks. Spent 14 months studying the network to identify weaknesses and attack vectors.
July 15 2022 and Sep 9 2022 – Claimed responsibility for stealing sensitive documents from Albanian government organizations. The motivation for leaking this information appears to be the Albanian government’s decision to support the Iranian dissident group MEK.
June 20 2025 – Attack on the website of Tirana Municipality, disabling online services and disrupting the city’s public registration system for kindergartens and nurseries. HJ stated on Telegram that they had “extracted all data and wiped the servers” of the municipal IT infrastructure. HJ posted screenshots allegedly showing server codes and backend access. HJ accused Albania of sheltering terrorists (MEK) and granting them fake passports and Id cards.
March 13 2026 – Homeland Justice claimed to have seized email correspondence of multiple MPs from Albania’s Parliament and 815 MB of parliamentary data. HJ displayed a video that showed access to the servers and deletion of information.
March 31 2026 – Announced that they had carried out a cyberattack against the systems of the General Prosecutor’s Office in Albania. Some media has claimed that HJ also hacked the Supreme Court. The HJ website states “Homeland Justice has full access to the data of www.pp.gov.al and denies hacking of www.gjykata.gov.al data.” No official confirmation so far.

Tactics/Techniques/Tradecraft/Procedures (TTP’s):
• ZeroCleare Malware
• Ransomeware (incl. ROADSWEEP)
• Used tools to gather email data (incl. Advanced Port Scanner, Mimikatz, and Impacket)
• Spear-phishing (from legitimate hijacked emails)
• Token impersonation/theft
• Data theft/disruption
• Sensitive data leaks

Associated groups:

• Handala hack
• Karmabelow (karmabelow80.org)
• HEXANE

Sources:
[1] – justice.gov/opa/pr/justice-department-disrupts-iranian-cyber-enabled-psychological-operations
[2] – cisa.gov/news-events/cybersecurity-advisories/aa22-264a
[3] – tiranatimes.com/iran-hacks-tirana-municipality-in-relation-over-mek/
[4] – balkanweb.com/en/iranian-hackers-homeland-justice-attack-the-high-court-and-the-prosecutor-general%27s-office/£gsc.tab=0
[5] – attack.mitre.org/campaigns/C0038/