Iranian hackers breached the Los Angeles County Metropolitan Transportation Authority (LACMTA) systems in March 2026, stealing at least 700 gigabytes of emails, backups, and other data, according to multiple sources [1, 2, 3]. The attack caused parts of the transit system's network to shut down, including disruptions to electronic display boards and fare recharge systems, but train and bus services remained operational during the incident [1, 2].
The hacking group claiming responsibility is known as Ababil of Minab. They are believed to be linked to Iranian intelligence agencies, specifically the Ministry of Intelligence and State Security (MOIS) [1, 2, 3]. The group cited retaliation for a U.S. airstrike on a school in Minab, Iran, which reportedly killed more than 175 children and teachers [1, 3].
Gambit Security, an Israeli cybersecurity firm, published a forensic report on May 26 linking the breach to a previous Iran-related hacking operation and backing the claim of Iranian government involvement. Eyal Sela of Gambit Security said, "What our research adds is the forensic evidence to support it." The firm added that Ababil of Minab "are not a new, standalone hacktivist crew as they claim" but are likely connected to state-backed actors [1, 3].
U.S. authorities including the FBI are actively investigating the breach and coordinating a response to the attack, according to officials [1, 2]. This attack is part of a wider increase in Iranian cyber activity targeting American critical infrastructure seen since early 2026, following U.S. and Israeli military strikes against Iranian sites in transportation, healthcare, and energy sectors internationally [2, 3].
Authorities issued warnings about heightened Iranian hacker targeting of U.S. infrastructure in April 2026, shortly after the LACMTA breach was discovered [3]. The Gambit Security report on May 26 marks the latest detailed attribution tying the attack to Iranian intelligence-linked actors [1, 3].
