APT IRAN's 375TB Lockheed Martin Claim Fabricated Data Dump, Real Information Operation

• .What: Two parallel Iranian operations targeting Lockheed Martin. APT IRAN claims 375TB data exfiltration (unverified, assessed as fabricated). Handala publishes verified personal data of 28 Lockheed Martin engineers in Israel with death threats (confirmed genuine).
• .Who: "APT IRAN" is a low-tier pro-Iranian hacktivist collective with a self-assigned name, not a recognized Advanced Persistent Threat group. Handala is Void Manticore (Check Point) / Storm-0842 (Microsoft) / Banished Kitten (CrowdStrike), confirmed MOIS Counter-Terrorism Division.
• .How: APT IRAN posted claims on Telegram and listed on THREAT MARKET, an unknown onion marketplace absent from every major dark web tracker. Handala compiled engineer data likely through OSINT, infostealers, and prior espionage operations - not a direct Lockheed Martin network breach.
• .Data: APT IRAN has released zero verified samples. Handala published genuine passport scans, identification numbers, residences, and service assignments for engineers on F-35, F-22, and THAAD programs.
• .Ransom: APT IRAN demanded $400M+ on March 28, framed as "the cost of building four F-35 fighters" - propaganda messaging, not a legitimate ransom negotiation.
• .Impact: Information operation forcing media coverage, resource diversion, and reputational pressure during active U.S.-Iran conflict. Handala's engineer targeting creates genuine physical security risk.

On March 20, 2026, a group operating under the name "APT IRAN" posted on Telegram claiming to have breached Lockheed Martin's systems and exfiltrated 375 terabytes of data.

The claim was amplified by Cyber Fattah, another pro-Iranian entity, which forwarded an alleged "Proof of Concept" with a dark web domain and sample data. Neither the PoC nor any data sample has been independently verified by any security researcher or threat intelligence firm.

" As of March 30, Lockheed Martin has filed no SEC 8-K material incident disclosure. CISA has issued no advisory. The FBI has made no statement regarding the APT IRAN claim specifically.

On March 28, APT IRAN escalated to a formal ransom demand exceeding $400 million, framing the figure as the cost of four F-35 fighter jets - a detail designed for media consumption rather than negotiation.

onion site. The listing specified a "Total Data Value" of $374,821,400 and an "Exclusive Buyout Price" of $598,500,000. On March 30, the @DailyDarkWeb account posted a screenshot of the listing to X/Twitter, triggering a second wave of media coverage.

" Handala published the names, passport scans, identification numbers, residential addresses, and service base assignments of 28 Lockheed Martin engineers working in Israel.

Cyber Daily and Cybernews independently confirmed the passport scans appear genuine and match LinkedIn profiles of Lockheed Martin senior staff. " Programs identified in the doxxing included the F-35, F-22, and THAAD missile defense system.

Handala claimed to have shared the data with the IRGC.

The APT IRAN 375TB claim fails every credibility test.

The name itself is the first red flag. "APT IRAN" is a self-assigned label. No government agency, no threat intelligence vendor, and no industry consortium has designated this group as an Advanced Persistent Threat.

Unit 42 describes them as "a pro-Iranian hacktivist collective" known for "hack-and-leak operations" against Jordanian infrastructure. " Their only documented prior claim - alleged sabotage of Jordan's Silos and Supply General Company - remains unverified.

The data volume is absurd. 375 terabytes from a Tier 1 defense contractor would represent one of the largest data exfiltrations in history.

For context, the Chinese theft of F-35 design data - documented through the Snowden disclosures and reported by The Diplomat - exfiltrated approximately 50 terabytes over multiple years, conducted by a nation-state intelligence service with sustained, covert access.

APT IRAN, a group with no demonstrated capability beyond one unverified hacktivist claim, allegedly achieved 7.5 times that volume. Early reporting noted 375 gigabytes - a 1,000x discrepancy that suggests deliberate inflation as the story circulated.

Lockheed Martin's classified programs operate on JWICS and SIPRNet, networks that are physically separated from the internet.

The pricing is theatrical. No credible data broker in the history of cybercrime has priced a stolen dataset in the hundreds of millions.

Even the most sensitive breaches - those involving national security material - have been sold for low six figures on established dark web forums.

The $374,821,400 "total data value" and $598,500,000 "exclusive buyout" are propaganda numbers, calculated for headlines, not for buyers.

The marketplace is unknown. THREAT MARKET does not appear in any major dark web marketplace tracker - not CloudSEK, not Cyble, not SOCRadar, not Flare, not DeepStrike, not BreachSense. It is absent from Daunt.io's 2026 Darknet Market Analysis.

Legitimate high-value data sales occur on established forums such as XSS, Exploit.in, and RAMP, or through direct negotiation. A purpose-built, untracked marketplace for a single listing is consistent with an information operation, not a legitimate data sale.

Ten days have passed with zero verified samples. Threat actors with genuine stolen data release samples to demonstrate authenticity and drive up buyer interest. APT IRAN has not done so.

The CyberHub Podcast's James Azar called it a "classic hacktivist playbook" - high-profile targeting, exaggerated claims, and psychological impact without the evidence to back it up.

SOCRadar assessed the claim as "highly likely exaggerated or fabricated," noting the figures are "implausible at face value." Unit 42's March 2026 Iran threat assessment - published during the same period - does not mention the Lockheed Martin claim at all.

This pattern has direct precedent. In August 2022, Russian hacktivist group Killnet claimed to have stolen Lockheed Martin employee data, released alleged "proof," and offered the data for sale. " No breach was ever confirmed.

APT IRAN's claim follows a near-identical playbook against the same target.

The fabricated data claim is the distraction. The real threat is the Handala operation.

Handala is not a hacktivist collective with a self-assigned name. They are Void Manticore (Check Point), Storm-0842 (Microsoft), and Banished Kitten (CrowdStrike) - a confirmed MOIS Counter-Terrorism Division operation.

The DOJ has officially attributed them to Iran's Ministry of Intelligence and Security.

In March 2026 alone, Handala conducted a destructive cyberattack against a major US company on March 11, had four domains seized by the DOJ on March 19, doxxed 28 Lockheed Martin engineers with death threats on March 26, and published more than 300 emails from FBI Director Kash Patel's personal Gmail on March 27.

The engineer data is verified and the physical threat is real. These are defense industry professionals working on the most sensitive U.S. weapons programs in an active conflict zone.

Their passport scans, home addresses, and work assignments were published alongside explicit threats referencing missile strikes.

Whether or not the data came from a direct Lockheed Martin breach - multiple experts assess it was compiled from OSINT, infostealers, and prior espionage - the safety implications for 28 named individuals and their families are immediate and concrete.

The two operations together create an amplification effect. APT IRAN generates the headline - "375TB Lockheed Martin breach" - that drives media coverage and forces Lockheed Martin into a defensive posture.

Handala delivers the genuine payload - verified personal data of real engineers with death threats. Each operation makes the other more effective. The fabricated claim gives Handala's targeting the context of a broader campaign.

Handala's verified data lends surface credibility to the fabricated claim. Whether this coordination is directed or opportunistic is an open question, but the strategic effect is the same.

1. Media amplification before verification. At least 12 outlets - including Hackread, Cybersecurity Dive, SC Media, Cyber Daily, UpGuard, and CyberNews - covered the APT IRAN claim within days of its posting.

While most included caveats, the coverage itself achieved the information operation's primary objective: forcing the narrative into the public discourse and making "Lockheed Martin breach" a headline. The coverage-to-verification ratio is the failure.

2. "APT" naming convention exploited. The group's self-designation as "APT IRAN" was effective social engineering against the media and security community.

The term "APT" carries specific meaning in threat intelligence - it implies state sponsorship, persistent access, and advanced tooling. By adopting the prefix, APT IRAN borrowed credibility they have not earned.

Multiple outlets initially reported the claim without clarifying that this is a self-assigned name.

3. Conflation of APT IRAN and Handala. Several reports blurred the line between the fabricated 375TB claim and Handala's verified engineer targeting, allowing each to borrow credibility from the other.

These are separate entities with different capabilities, different track records, and different levels of verification. Treating them as a single story serves the information operation's objectives.

4. Unknown marketplace treated as credible venue. The listing on THREAT MARKET was reported as a development in the story without sufficient scrutiny of the marketplace itself. A listing on an unknown, untracked marketplace is not equivalent to a listing on XSS or Exploit.in.

The marketplace infrastructure is part of the information operation, not independent evidence of a breach.

5. Volume discrepancy ignored. The shift from 375 gigabytes to 375 terabytes across reporting cycles - a 1,000x inflation - was not adequately flagged. This discrepancy alone should have triggered heightened skepticism.

Note: APT IRAN 375TB claim assessed as fabricated by SOCRadar, Unit 42, and ZERO|TOLERANCE.

FABRICATED OPERATION (APT IRAN):

• .Self-designated hacktivist collective, not a recognized APT
• .THREAT MARKET onion listing absent from all major dark web trackers
• .Zero verified data samples in 10+ days
• .Volume shifted from 375 GB to 375 TB (1,000x inflation)

VERIFIED OPERATION (Handala):

• .Handala / Void Manticore (Check Point) / Storm-0842 (Microsoft)
• .DOJ-confirmed MOIS operation

DOJ Seized Domains:

• .justicehomeland[.]org
• .handala-hack[.]to
• .karmabelow80[.]org
• .handala-redwanted[.]to

• .$10M Rewards for Justice bounty
• .28 Lockheed Martin engineers doxxed (passport scans verified by Cyber Daily)

SEC Regulation S-K / 8-K: Lockheed Martin has not filed an 8-K material incident disclosure. Under the SEC's December 2023 cybersecurity disclosure rules, a material breach requires disclosure within four business days.

Lockheed Martin's decision not to file is consistent with their assessment that no breach occurred.

ITAR (International Traffic in Arms Regulations): The F-35, F-22, and THAAD programs are classified under the U.S. Munitions List.

Handala's publication of engineer assignments to these programs - while not technical data - demonstrates that personnel assignments on classified programs have been exposed.

NIST SP 800-171 / CMMC 2.0: The Handala engineer doxxing raises questions about personnel security controls in allied-nation operations. The defense industrial base supply chain - particularly subcontractors in Israel - may face CMMC compliance scrutiny.

Physical Security: The Handala threats against named individuals constitute a credible physical security risk. Lockheed Martin's duty of care for employees working in conflict zones extends beyond cybersecurity into physical protection, relocation, and family security support.

1. Relationship between APT IRAN and Handala unconfirmed. Whether these operations are coordinated by a single command structure, loosely affiliated through shared Telegram channels, or entirely independent is unknown.

The timing suggests coordination, but no authoritative source has confirmed an organizational link.

2. APT IRAN's actual identity and sponsorship unknown. Unit 42 describes them as a hacktivist collective, and one source claims a CyberAv3ngers linkage, but no authoritative attribution exists.

3. Source of Handala's engineer data unconfirmed. Multiple experts assess OSINT and infostealers, but the specific acquisition method has not been definitively established.

4. Whether any Lockheed Martin data exists at all is unknown. The two possibilities - complete fabrication and partial data dressed up as something larger - produce different risk profiles.

No independent forensic analysis has been conducted on any material from either APT IRAN or THREAT MARKET.

5. THREAT MARKET's operator identity is unknown. Whether THREAT MARKET was purpose-built for this listing, operated by APT IRAN themselves, or run by an independent party providing infrastructure is unconfirmed.

6. Unit 42's omission is ambiguous. The March 2026 Iran threat brief does not mention the Lockheed Martin claim. This could indicate they assessed it as not credible, that they are tracking it in a classified channel, or that the timing did not align with their publication cycle.

This is not a breach. It is an information operation running on two tracks, and the tracks are not equal.

Track one is fabricated: a low-tier hacktivist collective with a borrowed name, an absurd data volume claim, theatrical pricing, zero verified samples, and an unknown marketplace - all pointing to a manufactured narrative designed for headlines.

Every credible indicator says the 375TB claim is false.

Track two is real: a confirmed MOIS proxy with demonstrated destructive capability doxxed 28 defense industry professionals working on the most sensitive U.S. weapons programs, published their passport scans, identified their home addresses, and threatened to kill them.

This data has been verified. This threat is operational. The danger is conflation.

When media coverage blurs these two operations into a single "Lockheed Martin breach" narrative, the fabricated claim borrows credibility from the real targeting, and the real targeting gets lost in the noise of the fabrication.

That conflation is the information operation's design objective.

Hackread, Cybersecurity Dive, SC Media, Cyber Daily, UpGuard, CyberNews, Security Boulevard, Netcrook, ThreatBeat, CyberHub Podcast (James Azar), Palo Alto Networks Unit 42, SOCRadar, Check Point Research, Krebs on Security, DarkWebInformer (@DailyDarkWeb), Lockheed Martin official statements, CSIS, The Diplomat (F-35/Snowden context), ZERO|TOLERANCE prior coverage (Handala FBI Director Patel Gmail Hack)