LA Metro (LACMTA) Iran-linked breach (2026)
Iran-linked hackers breached Los Angeles' transit agency LA Metro in March 2026, stealing at least 700 GB of internal data and disrupting passenger-information and TAP fare systems.
- Victim
- Los Angeles County Metropolitan Transportation Authority
In mid-March 2026, the Los Angeles County Metropolitan Transportation Authority (LA Metro) β the public agency that operates rail and bus service across Los Angeles County β was hit by an intrusion that forced parts of its network offline and took weeks to fully recover. A pro-Iran persona calling itself "Ababil of Minab" claimed responsibility, asserting it had stolen and then deleted data from the agency's systems. Israeli researchers have since tied the operation to Iran's Ministry of Intelligence and Security.
What happened
The breach disrupted several customer-facing systems, including real-time arrival information displays and TAP card reloading, although trains and buses continued operating normally throughout. Researchers later reported that the attackers reached operational displays inside the agency's environment, and that at least 700 GB of emails, backups, and internal files were exfiltrated β material that was subsequently found inadvertently exposed online.
In late May and early June 2026, the Israeli cybersecurity firm Gambit published forensic analysis concluding that "Ababil of Minab" was unlikely to be a genuine standalone hacktivist crew. Instead, Gambit said infrastructure and tradecraft tied the intrusion to Black Shadow, a group the Israel National Cyber Directorate has attributed to Iran's Ministry of Intelligence and Security (MOIS). Gambit linked the same actor to a broader campaign against transit and other organizations in the United States and the Middle East.
Why it matters
The incident underscores how pro-Iran operators have increasingly targeted U.S. critical infrastructure, blending hacktivist-style claims with state-directed activity. Los Angeles is a host city for the 2026 FIFA World Cup, raising the stakes for the resilience of its transit network. While trains and buses kept moving, the disruption to passenger-information and fare systems β combined with the exfiltration of hundreds of gigabytes of internal data β illustrates how a transit agency's back-office and customer-facing IT can be degraded without touching the trains themselves.
Timeline
Intrusion at the LACMTA network is detected; parts of Los Angeles' public-transport systems are forced offline.
Customer-facing services β including real-time arrival displays and TAP card reloading β are disrupted, while trains and buses keep running. A persona calling itself 'Ababil of Minab' claims to have stolen and then deleted data.
Reporting links the breach to Iranian operators after at least 700 GB of stolen emails, backups, and internal files are found inadvertently exposed online.
Israeli security firm Gambit attributes the operation to Black Shadow β a group the Israel National Cyber Directorate ties to Iran's Ministry of Intelligence and Security β dismissing 'Ababil of Minab' as a front.
Sources
- techcrunch.comhttps://techcrunch.com/2026/05/26/iranian-hackers-blamed-for-breach-of-los-angeles-transit-system-that-took-weeks-to-recover/
- nbcnews.comhttps://www.nbcnews.com/tech/security/iranian-hackers-responsible-los-angeles-transit-system-breach-israeli-rcna346881
- cybersecuritydive.comhttps://www.cybersecuritydive.com/news/iranian-government-not-hacktivist-group-breached-la-metro-system-securit/821112/
- jpost.comhttps://www.jpost.com/middle-east/iran-news/article-897739
- industrialcyber.cohttps://industrialcyber.co/industrial-cyber-attacks/gambit-links-iran-linked-black-shadow-group-to-destructive-cyber-campaign-targeting-us-middle-east-organizations/
- thenextweb.comhttps://thenextweb.com/news/iran-hackers-la-metro-breach-gambit-security