Attribution remains part of the investigation. They would not speculate.
In the months following a renewed escalation of armed conflict, the digital front has quietly extended itself into the daily rhythms of American civic life. A March intrusion into Los Angeles County's transit network — stripping 700 gigabytes of emails and operational files — has now been forensically linked by an Israeli cybersecurity firm to Iran's Ministry of Intelligence, suggesting that what riders experienced as darkened information screens and frozen payment terminals was, in fact, a calculated act of statecraft. The attack is not an isolated incident but one thread in a broader Iranian campaign targeting infrastructure, institutions, and individuals across multiple countries. It is a reminder that in modern conflict, the battlefield is everywhere ordinary life depends on systems it cannot see.
- A group calling itself Ababil de Minab — named after an airstrike that Iranian officials say killed more than 175 children — claimed the March breach, blending grief and aggression into a digital weapon.
- Seven hundred gigabytes of LA Metro data vanished into a public-facing server, and though trains kept running, riders were left without real-time information and unable to reload their transit cards.
- Tel Aviv-based Gambit Security, staffed in part by veterans of Israel's Unit 8200, says forensic trails now connect the attack directly to Iran's Ministry of Intelligence — turning a working hypothesis into an evidentiary claim.
- The same group has been linked to breaches of Florida's Tri-Rail system, a vehicle-tracking company, a Turkish insurance brokerage, and media and educational institutions in Israel — a pattern of targets chosen for disruption, not just data.
- The FBI is coordinating a response, but the transit authority, federal cybersecurity officials, and intelligence agencies have all declined to confirm attribution publicly, leaving the forensic case in the hands of a private firm.
- This attack is one node in a campaign that has also reached a major medical equipment manufacturer, the FBI director's email, and fuel pump displays at gas stations across the country — a sustained, shapeshifting pressure on American infrastructure.
In March, someone entered the computer systems of the Los Angeles County Metropolitan Transportation Authority and left with 700 gigabytes of data — emails, backups, operational files belonging to the agency that moves millions of people across one of America's largest cities. The breach was discovered on March 16. Two weeks later, a group calling itself Ababil de Minab claimed responsibility, posting a video suggesting they had destroyed much of what they took. Service never stopped, but riders noticed: the real-time displays went dark, and the card-reload systems failed.
This week, Gambit Security — a Tel Aviv-based firm founded in part by veterans of Israel's Unit 8200 — presented forensic evidence linking the attack to Iran's Ministry of Intelligence and Security. Director of threat intelligence Eyal Sela told Reuters that what had been a working hypothesis now had forensic backing, with stolen data traced to a public-facing server and connected to prior operations already attributed to Tehran by Israeli and American officials.
The group's name is not incidental. Ababil de Minab references a February 28 airstrike on a girls' school in the Iranian city of Minab — an attack Iranian officials say killed more than 175 children and teachers. Researchers from both countries have identified this kind of hacktivist branding as a method Iranian state espionage uses to claim credit while maintaining plausible distance.
The reach of the campaign extends well beyond Los Angeles. Gambit identified additional victims: a media organization and educational institution in Israel, an insurance brokerage in Turkey. The same group claimed attacks on Florida's Tri-Rail commuter system and Vyncs, a vehicle-tracking company — both of which confirmed breaches and FBI involvement. The FBI acknowledged awareness of the LA Metro incident but offered nothing further. The transit authority declined to confirm Gambit's attribution, saying the investigation was ongoing.
The LA Metro breach is one thread in a larger pattern that researchers have traced to Iranian hackers since late February: a breach of medical equipment giant Stryker, the theft of FBI Director Kash Patel's emails, and the remote manipulation of fuel pump displays at gas stations across the United States. Each operation targets a different layer of American life. None of them, so far, show signs of stopping.
In March, someone broke into the Los Angeles County Metropolitan Transportation Authority's computer systems and walked away with 700 gigabytes of data—emails, backups, files that belonged to the agency running buses and trains across one of America's largest metro areas. The intrusion was discovered on March 16. Two weeks later, a group calling itself Ababil de Minab claimed responsibility, posting a video claiming they had destroyed much of what they took. The transit authority said service never stopped, but riders noticed the real-time information displays went dark and the card-reload systems stopped working.
This week, a Tel Aviv-based cybersecurity firm called Gambit Security presented forensic evidence linking the attack directly to Iran's Ministry of Intelligence and Security. The company, founded partly by veterans of Israel's Unit 8200—the equivalent of the NSA—traced the stolen data to a public-facing server and connected it to previous hacking operations that Israeli and American officials had already attributed to Tehran. Eyal Sela, Gambit's director of threat intelligence, told Reuters that what had been a working hypothesis now had forensic backing.
The name of the group claiming the attack carries its own weight. Ababil de Minab references an airstrike on February 28 against a girls' school in that Iranian city, an attack Iranian officials say killed more than 175 children and teachers. The group's language and methods match patterns researchers from both countries have identified in hacktivist collectives that function as cover for Iranian state espionage. It is a way of claiming credit while maintaining plausible distance.
Beyond Los Angeles, Gambit identified other victims: a media organization and an educational institution in Israel, an insurance brokerage in Turkey. The same group claimed attacks on Florida's Tri-Rail commuter system and Vyncs, a vehicle-tracking company. Tri-Rail confirmed the breach but said the compromised data was not critical. Vyncs discovered its intrusion on April 2. Both companies confirmed the FBI was involved in the response.
The FBI acknowledged it was aware of the LA Metro incident and coordinating with partners but offered no further comment. The Cybersecurity and Infrastructure Agency said nothing. The transit authority itself declined to confirm Gambit's attribution, saying in a statement that attribution remained part of the ongoing investigation and they would not speculate.
This attack sits within a larger pattern. Since late February, when the armed conflict began, researchers have traced a series of digital operations to Iranian hackers. They include a breach of Stryker, a major medical equipment manufacturer; the theft of emails belonging to FBI Director Kash Patel; and the remote manipulation of fuel pump displays at gas stations across the United States, according to CNN. Each operation targets a different kind of infrastructure or official, each one a message. The LA Metro breach is one thread in a campaign that shows no sign of stopping.
Citas Notables
The forensic evidence now supports what had been a working hypothesis about the connection to Tehran— Eyal Sela, Gambit Security director of threat intelligence
Attribution forms part of the investigation and we will not speculate— LA Metro Authority statement
La Conversación del Hearth Otra perspectiva de la historia
Why would Iran target a transit system in Los Angeles specifically? What's the strategic value?
It's not really about the transit system itself. It's about showing reach—that they can get into critical American infrastructure and stay undetected long enough to steal massive amounts of data. It's psychological as much as operational.
But they claimed to destroy the data. If they're trying to prove capability, why not keep it?
The destruction claim is part of the cover. The real value is in what they extracted before they claimed to delete it. They have the data; the public destruction is theater that lets them claim victory while the actual intelligence work happens quietly.
The group's name references a specific airstrike. Are they saying this is retaliation?
They're saying it's connected. The name ties the hack to a real event, a real death toll. It's a way of framing the attack as part of a broader conflict, not just random cybercrime. It gives it political weight.
Why would Iran use a hacktivist front instead of just claiming it directly?
Deniability. If something goes wrong diplomatically or legally, the state can distance itself. The hacktivists get the credit, the state gets the intelligence. It's a proven playbook.
What happens next? Does LA Metro have to rebuild everything?
They're already rebuilding. But the real question is whether this becomes part of a sustained campaign or a one-off. The pattern suggests sustained. There's a medical equipment company hit, government officials targeted, fuel pumps manipulated. This isn't one attack. It's a strategy.