Israeli cybersecurity researchers said Iranian state-backed hackers carried out the March cyberattack on the Los Angeles County Metropolitan Transportation Authority, stealing at least 700 gigabytes of emails, backups and other files, according to Reuters.
Reuters reported that Gambit Security, a Tel Aviv-based cybersecurity firm, made the determination after finding stolen data that had been unintentionally exposed online. The firm said its analysis traced the server holding the data to a hacking operation that Israeli officials and researchers had previously tied to Tehran.
LACMTA detected the intrusion around March 16. Weeks later, a little-known pro-Iran group calling itself Ababil of Minab surfaced online and claimed responsibility, posting a video it said showed the group moving through the transit authority’s network.
U.S. and Israeli researchers have described Ababil and similar groups as fronts for Iranian intelligence, citing their rhetoric and methods, according to Reuters. The group’s name references the bombing of a girls’ school in the Iranian city of Minab.
Gambit threat intelligence director Eyal Sela told Reuters the Iran connection “has been a working assumption,” adding that the firm’s report provides forensic evidence to back it up.
LACMTA did not respond to questions about the findings. In a statement last month, officials said they were working with law enforcement and cybersecurity specialists to restore systems.
“Attribution is part of the investigation and we will not speculate,” the statement said.
Transit officials said trains and buses kept running throughout the incident. Local media reported the breach knocked out some arrival screens and left riders unable to load money onto their transit cards.
The FBI said it was aware of the incident and “coordinating with partners in response,” but declined to say more. Iran’s mission to the United Nations did not return messages seeking comment.
Ababil also has claimed responsibility for hacks on South Florida’s Tri-Rail commuter railroad and vehicle tracking company Vyncs. Tri-Rail confirmed the breach but said no critical data was compromised. Vyncs owner Agnik said it detected unauthorized access on April 2 and declined to specify what was taken. Both companies said the FBI was involved in their cases.
Editor’s note: This report is based on a Reuters investigation published May 26, 2026.
A global media for the latest news, entertainment, music fashion, and more.
