How a hacking campaign targeted high-profile Gmail and WhatsApp users across the Middle East

On Tuesday, U.K.-based Iranian activistic Nariman Gharib tweeted redacted screenshots of a phishing nexus sent to him via a WhatsApp message.

“Do not click connected suspicious links,” Gharib warned. The activist, who is pursuing the integer broadside of the Iranian protests from afar, said the run targeted radical progressive successful Iran-related activities, specified arsenic himself.

This hacking run comes arsenic Iran grapples with the longest nationwide net shutdown successful its history, arsenic anti-government protests — and convulsive crackdowns — rage crossed the country. Given that Iran and its closest adversaries are highly progressive successful the violative cyberspace (read: hacking people), we wanted to larn more. 

Gharib shared the afloat phishing nexus with TechCrunch soon aft his post, allowing america to seizure a transcript of the root codification of the phishing web leafage utilized successful the attack. He besides shared a write-up of his findings.

TechCrunch analyzed the root codification of the phishing page, and with added input from information researchers, we judge the run aimed to bargain Gmail and different online credentials, compromise WhatsApp accounts, and behaviour surveillance by stealing determination data, photos, and audio recordings. 

It is unclear, however, if the hackers were government-linked agents, spies, oregon cybercriminals — oregon each three. 

TechCrunch besides identified a mode to presumption a real-time transcript of each of the victim’s responses saved connected the attacker’s server, which was near exposed and accessible without a password. This information revealed dozens of victims who had unwittingly entered their credentials into the phishing site, and were subsequently apt hacked.

The database includes a Middle Eastern world moving successful nationalist information studies; the brag of an Israeli drone maker; a elder Lebanese furniture minister; astatine slightest 1 journalist; arsenic good arsenic radical successful the United States oregon with U.S. telephone numbers. 

TechCrunch is publishing our findings aft validating overmuch of Gharib’s report. The phishing tract is present down.

Inside the onslaught chain

According to Gharib, the WhatsApp connection helium received contained a suspicious link, which loaded a phishing tract successful the victim’s browser.

Image Credits:Nariman Gharib

The nexus shows that the attackers relied connected a dynamic DNS supplier called DuckDNS for their phishing campaign. Dynamic DNS providers let radical to link easy-to-remember web addresses — successful this case, a duckdns.org subdomain — to a server wherever its IP code mightiness often change. 

It’s not wide if the attackers unopen down the phishing tract connected their ain accord, oregon were caught and chopped disconnected by DuckDNS. We reached retired to DuckDNS with inquiries, but its proprietor Richard Harper requested that we nonstop an maltreatment study instead.

From what we understand, the attackers utilized DuckDNS to disguise the existent determination of the phishing page, presumably to marque it look similar a genuine WhatsApp link. 

The phishing leafage was really hosted astatine alex-fabow.online, a domain that was archetypal registered successful aboriginal November 2025. This domain has respective other, related domains hosted connected the aforesaid dedicated server, and these domain names travel a signifier that suggests that the run besides targeted different providers of virtual gathering rooms, similar meet-safe.online and whats-login.online.

We’re not definite what happens portion the DuckDNS nexus loads successful the victim’s browser, oregon however the nexus determines which circumstantial phishing leafage to load. It whitethorn beryllium that the DuckDNS nexus redirects the people to a circumstantial phishing leafage based connected accusation it gleans from the user’s device.

The phishing leafage would not load successful our web browser, preventing america from straight interacting with it. Reading the root codification of the page, however, allowed america to amended recognize however the onslaught worked.

Gmail credential and telephone fig phishing

Depending connected the target, tapping connected a phishing nexus would unfastened a fake Gmail login page, oregon inquire for their telephone number, and statesman an onslaught travel aimed astatine stealing their password and two-factor authentication code. 

But the root codification of the phishing leafage codification had astatine slightest 1 flaw: TechCrunch recovered that by modifying the phishing page’s URL successful our web browser, we could presumption a record connected the attacker’s servers that was storing records of each unfortunate who had entered their credentials. 

The record contained implicit 850 records of accusation submitted by victims during the onslaught flow. These records elaborate each portion of the phishing travel that the unfortunate was in. This included copies of the usernames and passwords that victims had entered connected the phishing page, arsenic good arsenic incorrect entries and their two-factor codes, efficaciously serving arsenic a keylogger. 

The records besides contained each victim’s user-agent, a drawstring of substance that identifies the operating strategy and browser versions utilized to presumption websites. This information shows that the run was designed to people Windows, macOS, iPhone and Android users.

The exposed record allowed america to travel the onslaught travel step-by-step for each victim. In 1 case, the exposed record shows a unfortunate clicking connected a malicious link, which opened a leafage that looked similar a Gmail sign-in window. The log shows the unfortunate entering their email credentials respective times until they participate the close password. 

The records amusement the aforesaid unfortunate entering their two-factor authentication codification sent to them by substance message. We tin archer this due to the fact that Google sends two-factor codes successful a circumstantial format (usually G-xxxxxx, featuring a six-digit numerical code).

WhatsApp hijack and browser information exfiltration

Beyond credential theft, this run besides seemed to alteration surveillance by tricking victims into sharing their location, audio, and pictures from their device.

In Gharib’s case, tapping connected the nexus successful the phishing connection opened a fake WhatsApp-themed leafage successful his browser, which displayed a QR code. The lure aims to instrumentality the people into scanning the codification connected their device, purportedly to entree a virtual gathering room.

Image Credits:TechCrunch

Gharib said the QR codification was generated by the attacker, and scanning oregon tapping it would instantly nexus the victim’s WhatsApp relationship to a instrumentality controlled by the attacker, granting them entree to the victim’s data. This is simply a long-known onslaught method that abuses the WhatsApp instrumentality linking feature, and has been likewise abused to target users of messaging app Signal.

We asked Granitt laminitis Runa Sandvik, a information researcher who works to assistance unafraid at-risk individuals, to analyse a transcript of the phishing leafage codification and spot however it functions. 

Sandvik recovered that erstwhile the leafage loaded, the codification would trigger a browser notification asking the idiosyncratic for support to entree their determination (via navigator.geolocation), arsenic good arsenic photos and audio (navigator.getUserMedia). 

If accepted, the browser would instantly nonstop the person’s coordinates to the attacker, susceptible of identifying the determination of the victim. The leafage would past proceed to stock the victim’s determination information each fewer seconds, for arsenic agelong arsenic the leafage remained open. 

The codification besides allowed the attackers to grounds bursts of audio and drawback photos each 3 to 5 seconds utilizing the instrumentality camera. However, we did not spot immoderate determination data, audio, oregon images that had been collected connected the server.

Thoughts connected victims, timing, and attribution

We bash not cognize who is down this campaign. What is wide is that the run was palmy successful stealing credentials from victims, and it is imaginable that the phishing run could resurface. 

Despite knowing the identities of immoderate of the radical successful this clump of victims who were targeted, we don’t person capable accusation to recognize the quality of the campaign. The fig of victims hacked by this run (that we cognize of) is reasonably debased — less than 50 individuals — and affects some seemingly mean radical crossed the Kurdish community, arsenic good arsenic academics, authorities officials, concern leaders, and different elder figures crossed the broader Iranian diaspora and Middle East.

It whitethorn beryllium that determination are acold much victims than we are alert of, which could assistance america recognize who was targeted and perchance why.

The lawsuit that this could beryllium a government-backed actor

It is unclear what motivated the hackers to bargain people’s credentials and hijack their WhatsApp accounts, which could besides assistance place who is down this hacking campaign.

A government-backed group, for example, mightiness privation to bargain the email password and two-factor codes of a high-value target, similar a person oregon journalist, truthful they tin download backstage and confidential information.

That could marque consciousness since Iran is presently astir wholly chopped disconnected from the extracurricular world, and getting accusation successful oregon retired of the state presents a challenge. Both the Iranian government, oregon a overseas authorities with interests successful Iran’s affairs, could plausibly privation to cognize whom influential Iranian-linked individuals are communicating with, and what about.

As such, the timing of this phishing run and who it appears to beryllium targeting could constituent to an espionage run aimed astatine trying to cod accusation astir a constrictive database of people.

We asked Gary Miller, a information researcher astatine Citizen Lab and mobile espionage expert, to besides reappraisal the phishing codification and immoderate of the exposed information from the attacker’s server. 

Miller said the onslaught “certainly [had] the hallmarks of an IRGC-linked spearphishing campaign,” referring to highly-targeted email hacks carried retired by Iran’s Islamic Revolutionary Guard Corps (IRGC), a faction of Iran’s subject known for carrying retired cyberattacks. Miller pointed to a premix of indications, including the planetary scope of unfortunate targeting, credential theft, the maltreatment of fashionable messaging platforms similar WhatsApp, and social engineering techniques utilized successful the phishing link.

The lawsuit that this mightiness beryllium a financially motivated actor

On the different hand, a financially motivated hacker could usage the aforesaid stolen Gmail password and two-factor codification of different high-value target, specified arsenic a institution executive, to bargain proprietary and delicate concern accusation from their inbox. The hacker could besides forcibly reset passwords of their victim’s cryptocurrency and slope accounts to bare their wallets.

The campaign’s absorption connected accessing a victim’s determination and instrumentality media, however, is antithetic for a financially motivated actor, who mightiness person small usage for pictures and audio recordings.

We asked Ian Campbell, a menace researcher astatine DomainTools, which helps analyse nationalist net records, to instrumentality a look astatine the domain names utilized successful the run to assistance recognize erstwhile they were archetypal acceptable up, and if these domains were connected to immoderate different antecedently known oregon identified infrastructure. 

Campbell recovered that portion the run targeted victims successful the midst of Iran’s ongoing nationwide protests, its infrastructure had been acceptable up weeks ago. He added that astir of the domains connected to this run were registered successful aboriginal November 2025, and 1 related domain was created months backmost successful August 2025. Campbell described the domains arsenic medium-to-high risk, and said they look to beryllium linked to a cybercrime cognition driven by fiscal motivations.

An further wrinkle is that Iran’s authorities has been known to outsource cyberattacks to transgression hacking groups, presumably to shield its engagement successful hacking operations against its citizens. The U.S. Treasury has sanctioned Iranian companies successful the past for acting arsenic fronts for Iran’s IRGC and conducting cyberattacks, specified arsenic launching targeted phishing and societal engineering attacks. 

As Miller notes, “This drives location the constituent that clicking connected unsolicited WhatsApp links, nary substance however convincing, is simply a high-risk, unsafe practice.”

To securely interaction this reporter, you tin scope retired utilizing Signal via the username: zackwhittaker.1337

Lorenzo Franceschi-Bicchierai contributed reporting.