How a hacking campaign targeted highprofile Gmail and WhatsApp users across the Middle East TechCrunch
p
Latest
pp
AI
pp
Amazon
pp
Apps
pp
Biotech Health
pp
Climate
pp
Cloud Computing
pp
Commerce
pp
Crypto
pp
Enterprise
pp
EVs
pp
Fintech
pp
Fundraising
pp
Gadgets
pp
Gaming
pp
Google
pp
Government Policy
pp
Hardware
pp
Instagram
pp
Layoffs
pp
Media Entertainment
pp
Meta
pp
Microsoft
pp
Privacy
pp
Robotics
pp
Security
pp
Social
pp
Space
pp
Startups
pp
TikTok
pp
Transportation
pp
Venture
pp
Staff
pp
Events
pp
Startup Battlefield
pp
StrictlyVC
pp
Newsletters
pp
Podcasts
pp
Videos
pp
Partner Content
pp
TechCrunch Brand Studio
pp
Crunchboard
pp
Contact Us
ppOn Tuesday UKbased Iranian activist Nariman Gharib tweeted redacted screenshots of a phishing link sent to him via a WhatsApp messageppDo not click on suspicious links Gharib warned The activist who is following the digital side of the Iranian protests from afar said the campaign targeted people involved in Iranrelated activities such as himselfppThis hacking campaign comes as Iran grapples with the longest nationwide internet shutdown in its history as antigovernment protests and violent crackdowns rage across the country Given that Iran and its closest adversaries are highly active in the offensive cyberspace read hacking people we wanted to learn more ppGharib shared the full phishing link with TechCrunch soon after his post allowing us to capture a copy of the source code of the phishing web page used in the attack He also shared a writeup of his findingsppTechCrunch analyzed the source code of the phishing page and with added input from security researchers we believe the campaign aimed to steal Gmail and other online credentials compromise WhatsApp accounts and conduct surveillance by stealing location data photos and audio recordings ppIt is unclear however if the hackers were governmentlinked agents spies or cybercriminals or all three ppTechCrunch also identified a way to view a realtime copy of all the victims responses saved on the attackers server which was left exposed and accessible without a password This data revealed dozens of victims who had unwittingly entered their credentials into the phishing site and were subsequently likely hackedppThe list includes a Middle Eastern academic working in national security studies the boss of an Israeli drone maker a senior Lebanese cabinet minister at least one journalist and people in the United States or with US phone numbers ppTechCrunch is publishing our findings after validating much of Gharibs report The phishing site is now downppAccording to Gharib the WhatsApp message he received contained a suspicious link which loaded a phishing site in the victims browserppThe link shows that the attackers relied on a dynamic DNS provider called DuckDNS for their phishing campaign Dynamic DNS providers allow people to connect easytoremember web addresses in this case a duckdnsorg subdomain to a server where its IP address might frequently change ppIts not clear whether the attackers shut down the phishing site of their own accord or were caught and cut off by DuckDNS We reached out to DuckDNS with inquiries but its owner Richard Harper requested that we send an abuse report insteadppFrom what we understand the attackers used DuckDNS to mask the real location of the phishing page presumably to make it look like a genuine WhatsApp link ppThe phishing page was actually hosted at alexfabowonline a domain that was first registered in early November 2025 This domain has several other related domains hosted on the same dedicated server and these domain names follow a pattern that suggests the campaign also targeted other providers of virtual meeting rooms like meetsafeonline and whatsloginonlineppWere not sure what happens while the DuckDNS link loads in the victims browser or how the link determines which specific phishing page to load It may be that the DuckDNS link redirects the target to a specific phishing page based on information it gleans from the users deviceppThe phishing page would not load in our web browser preventing us from directly interacting with it Reading the source code of the page however allowed us to better understand how the attack workedppDepending on the target tapping on a phishing link would open a fake Gmail login page or ask for their phone number and begin an attack flow aimed at stealing their password and twofactor authentication code ppBut the source code of the phishing page code had at least one flaw TechCrunch found that by modifying the phishing pages URL in our web browser we could view a file on the attackers servers that was storing records of every victim who had entered their credentials ppThe file contained over 850 records of information submitted by victims during the attack flow These records detailed each part of the phishing flow that the victim was in This included copies of the usernames and passwords that victims had entered on the phishing page as well as incorrect entries and their twofactor codes effectively serving as a keylogger ppThe records also contained each victims user agent a string of text that identifies the operating system and browser versions used to view websites This data shows that the campaign was designed to target Windows macOS iPhone and Android usersppThe exposed file allowed us to follow the attack flow stepbystep for each victim In one case the exposed file shows a victim clicking on a malicious link which opened a page that looked like a Gmail signin window The log shows the victim entering their email credentials several times until they enter the correct password ppThe records show the same victim entering their twofactor authentication code sent to them by text message We can tell this because Google sends twofactor codes in a specific format usually Gxxxxxx featuring a sixdigit numerical codeppBeyond credential theft this campaign also seemed to enable surveillance by tricking victims into sharing their location audio and pictures from their deviceppIn Gharibs case tapping on the link in the phishing message opened a fake WhatsAppthemed page in his browser which displayed a QR code The lure aims to trick the target into scanning the code on their device purportedly to access a virtual meeting roomppGharib said the QR code was generated by the attacker and scanning or tapping it would instantly link the victims WhatsApp account to a device controlled by the attacker granting them access to the victims data This is a longknown attack technique that abuses the WhatsApp device linking feature and has been similarly abused to target users of messaging app SignalppWe asked Granitt founder Runa Sandvik a security researcher who works to help secure atrisk individuals to examine a copy of the phishing page code and see how it functions ppSandvik found that when the page loaded the code would trigger a browser notification asking the user for permission to access their location via navigatorgeolocation as well as photos and audio navigatorgetUserMedia ppIf accepted the browser would immediately send the persons coordinates to the attacker capable of identifying the location of the victim The page would then continue to share the victims location data every few seconds for as long as the page remained open ppThe code also allowed the attackers to record bursts of audio and snap photos every three to five seconds using the device camera However we did not see any location data audio or images that had been collected on the serverppWe do not know who is behind this campaign What is clear is that the campaign was successful in stealing credentials from victims and it is possible that the phishing campaign could resurface ppDespite knowing the identities of some of the people in this cluster of victims who were targeted we dont have enough information to understand the nature of the campaign The number of victims hacked by this campaign that we know of is fairly low fewer than 50 individuals and affects seemingly ordinary people across the Kurdish community as well as academics government officials business leaders and other senior figures across the broader Iranian diaspora and Middle EastppIt may be that there are far more victims than we are aware of which could help us understand who was targeted and potentially whyppIt is unclear what motivated the hackers to steal peoples credentials and hijack their WhatsApp accounts which could also help identify who is behind this hacking campaignppA governmentbacked group for example might want to steal the email password and twofactor codes of a highvalue target like a politician or journalist so they can download private and confidential informationppThat could make sense since Iran is currently almost entirely cut off from the outside world and getting information in or out of the country presents a challenge Both the Iranian government or a foreign government with interests in Irans affairs could plausibly want to know who influential Iranianlinked individuals are communicating with and what aboutppAs such the timing of this phishing campaign and who it appears to be targeting could point to an espionage campaign aimed at trying to collect information about a narrow list of peopleppWe asked Gary Miller a security researcher at Citizen Lab and mobile espionage expert to also review the phishing code and some of the exposed data from the attackers server ppMiller said the attack certainly had the hallmarks of an IRGClinked spearphishing campaign referring to highly targeted email hacks carried out by Irans Islamic Revolutionary Guard Corps IRGC a faction of Irans military known for carrying out cyberattacks Miller pointed to a mix of indications including the international scope of victim targeting credential theft the abuse of popular messaging platforms like WhatsApp and social engineering techniques used in the phishing linkppOn the other hand a financially motivated hacker could use the same stolen Gmail password and twofactor code of another highvalue target such as a company executive to steal proprietary and sensitive business information from their inbox The hacker could also forcibly reset passwords of their victims cryptocurrency and bank accounts to empty their walletsppThe campaigns focus on accessing a victims location and device media however is unusual for a financially motivated actor who might have little use for pictures and audio recordingsppWe asked Ian Campbell a threat researcher at DomainTools which helps analyze public internet records to look at the domain names used in the campaign to help understand when they were first set up and if these domains were connected to any other previously known or identified infrastructure ppCampbell found that while the campaign targeted victims in the midst of Irans ongoing nationwide protests its infrastructure had been set up weeks ago He added that most of the domains connected to this campaign were registered in early November 2025 and one related domain was created months back in August 2025 Campbell described the domains as medium to high risk and said they appear to be linked to a cybercrime operation driven by financial motivationsppAn additional wrinkle is that Irans government has been known to outsource cyberattacks to criminal hacking groups presumably to shield its involvement in hacking operations against its citizens The US Treasury has sanctioned Iranian companies in the past for acting as fronts for Irans IRGC and conducting cyberattacks such as launching targeted phishing and social engineering attacks ppAs Miller notes This drives home the point that clicking on unsolicited WhatsApp links no matter how convincing is a highrisk unsafe practiceppTo securely contact this reporter you can reach out using Signal via the username zackwhittaker1337ppLorenzo FranceschiBicchierai contributed reportingppTopicspp
Security Editor
ppZack Whittaker is the security editor at TechCrunch He also authors the weekly cybersecurity newsletter this week in security ppHe can be reached via encrypted message at zackwhittaker1337 on Signal You can also contact him by email or to verify outreach at zackwhittakertechcrunchcom ppTickets are live at the lowest rates of the year Save up to 680 on your pass nowMeet investors Discover your next portfolio company Hear from 250 tech leaders dive into 200 sessions and explore 300 startups building whats next Dont miss these onetime savingspp Spotify says its best developers havent written a line of code since December thanks to AI
pp With cofounders leaving and an IPO looming Elon Musk turns talk to the moon
pp The first signs of burnout are coming from the people who embrace AI the most
pp MrBeasts company buys Gen Zfocused fintech app Step
pp YouTube TV introduces cheaper bundles including a 65month sports package
pp Discord to roll out age verification next month
pp From Svedka to Anthropic brands make bold plays with AI in Super Bowl ads
pp 2025 TechCrunch Media LLCp
Latest
pp
AI
pp
Amazon
pp
Apps
pp
Biotech Health
pp
Climate
pp
Cloud Computing
pp
Commerce
pp
Crypto
pp
Enterprise
pp
EVs
pp
Fintech
pp
Fundraising
pp
Gadgets
pp
Gaming
pp
pp
Government Policy
pp
Hardware
pp
pp
Layoffs
pp
Media Entertainment
pp
Meta
pp
Microsoft
pp
Privacy
pp
Robotics
pp
Security
pp
Social
pp
Space
pp
Startups
pp
TikTok
pp
Transportation
pp
Venture
pp
Staff
pp
Events
pp
Startup Battlefield
pp
StrictlyVC
pp
Newsletters
pp
Podcasts
pp
Videos
pp
Partner Content
pp
TechCrunch Brand Studio
pp
Crunchboard
pp
Contact Us
ppOn Tuesday UKbased Iranian activist Nariman Gharib tweeted redacted screenshots of a phishing link sent to him via a WhatsApp messageppDo not click on suspicious links Gharib warned The activist who is following the digital side of the Iranian protests from afar said the campaign targeted people involved in Iranrelated activities such as himselfppThis hacking campaign comes as Iran grapples with the longest nationwide internet shutdown in its history as antigovernment protests and violent crackdowns rage across the country Given that Iran and its closest adversaries are highly active in the offensive cyberspace read hacking people we wanted to learn more ppGharib shared the full phishing link with TechCrunch soon after his post allowing us to capture a copy of the source code of the phishing web page used in the attack He also shared a writeup of his findingsppTechCrunch analyzed the source code of the phishing page and with added input from security researchers we believe the campaign aimed to steal Gmail and other online credentials compromise WhatsApp accounts and conduct surveillance by stealing location data photos and audio recordings ppIt is unclear however if the hackers were governmentlinked agents spies or cybercriminals or all three ppTechCrunch also identified a way to view a realtime copy of all the victims responses saved on the attackers server which was left exposed and accessible without a password This data revealed dozens of victims who had unwittingly entered their credentials into the phishing site and were subsequently likely hackedppThe list includes a Middle Eastern academic working in national security studies the boss of an Israeli drone maker a senior Lebanese cabinet minister at least one journalist and people in the United States or with US phone numbers ppTechCrunch is publishing our findings after validating much of Gharibs report The phishing site is now downppAccording to Gharib the WhatsApp message he received contained a suspicious link which loaded a phishing site in the victims browserppThe link shows that the attackers relied on a dynamic DNS provider called DuckDNS for their phishing campaign Dynamic DNS providers allow people to connect easytoremember web addresses in this case a duckdnsorg subdomain to a server where its IP address might frequently change ppIts not clear whether the attackers shut down the phishing site of their own accord or were caught and cut off by DuckDNS We reached out to DuckDNS with inquiries but its owner Richard Harper requested that we send an abuse report insteadppFrom what we understand the attackers used DuckDNS to mask the real location of the phishing page presumably to make it look like a genuine WhatsApp link ppThe phishing page was actually hosted at alexfabowonline a domain that was first registered in early November 2025 This domain has several other related domains hosted on the same dedicated server and these domain names follow a pattern that suggests the campaign also targeted other providers of virtual meeting rooms like meetsafeonline and whatsloginonlineppWere not sure what happens while the DuckDNS link loads in the victims browser or how the link determines which specific phishing page to load It may be that the DuckDNS link redirects the target to a specific phishing page based on information it gleans from the users deviceppThe phishing page would not load in our web browser preventing us from directly interacting with it Reading the source code of the page however allowed us to better understand how the attack workedppDepending on the target tapping on a phishing link would open a fake Gmail login page or ask for their phone number and begin an attack flow aimed at stealing their password and twofactor authentication code ppBut the source code of the phishing page code had at least one flaw TechCrunch found that by modifying the phishing pages URL in our web browser we could view a file on the attackers servers that was storing records of every victim who had entered their credentials ppThe file contained over 850 records of information submitted by victims during the attack flow These records detailed each part of the phishing flow that the victim was in This included copies of the usernames and passwords that victims had entered on the phishing page as well as incorrect entries and their twofactor codes effectively serving as a keylogger ppThe records also contained each victims user agent a string of text that identifies the operating system and browser versions used to view websites This data shows that the campaign was designed to target Windows macOS iPhone and Android usersppThe exposed file allowed us to follow the attack flow stepbystep for each victim In one case the exposed file shows a victim clicking on a malicious link which opened a page that looked like a Gmail signin window The log shows the victim entering their email credentials several times until they enter the correct password ppThe records show the same victim entering their twofactor authentication code sent to them by text message We can tell this because Google sends twofactor codes in a specific format usually Gxxxxxx featuring a sixdigit numerical codeppBeyond credential theft this campaign also seemed to enable surveillance by tricking victims into sharing their location audio and pictures from their deviceppIn Gharibs case tapping on the link in the phishing message opened a fake WhatsAppthemed page in his browser which displayed a QR code The lure aims to trick the target into scanning the code on their device purportedly to access a virtual meeting roomppGharib said the QR code was generated by the attacker and scanning or tapping it would instantly link the victims WhatsApp account to a device controlled by the attacker granting them access to the victims data This is a longknown attack technique that abuses the WhatsApp device linking feature and has been similarly abused to target users of messaging app SignalppWe asked Granitt founder Runa Sandvik a security researcher who works to help secure atrisk individuals to examine a copy of the phishing page code and see how it functions ppSandvik found that when the page loaded the code would trigger a browser notification asking the user for permission to access their location via navigatorgeolocation as well as photos and audio navigatorgetUserMedia ppIf accepted the browser would immediately send the persons coordinates to the attacker capable of identifying the location of the victim The page would then continue to share the victims location data every few seconds for as long as the page remained open ppThe code also allowed the attackers to record bursts of audio and snap photos every three to five seconds using the device camera However we did not see any location data audio or images that had been collected on the serverppWe do not know who is behind this campaign What is clear is that the campaign was successful in stealing credentials from victims and it is possible that the phishing campaign could resurface ppDespite knowing the identities of some of the people in this cluster of victims who were targeted we dont have enough information to understand the nature of the campaign The number of victims hacked by this campaign that we know of is fairly low fewer than 50 individuals and affects seemingly ordinary people across the Kurdish community as well as academics government officials business leaders and other senior figures across the broader Iranian diaspora and Middle EastppIt may be that there are far more victims than we are aware of which could help us understand who was targeted and potentially whyppIt is unclear what motivated the hackers to steal peoples credentials and hijack their WhatsApp accounts which could also help identify who is behind this hacking campaignppA governmentbacked group for example might want to steal the email password and twofactor codes of a highvalue target like a politician or journalist so they can download private and confidential informationppThat could make sense since Iran is currently almost entirely cut off from the outside world and getting information in or out of the country presents a challenge Both the Iranian government or a foreign government with interests in Irans affairs could plausibly want to know who influential Iranianlinked individuals are communicating with and what aboutppAs such the timing of this phishing campaign and who it appears to be targeting could point to an espionage campaign aimed at trying to collect information about a narrow list of peopleppWe asked Gary Miller a security researcher at Citizen Lab and mobile espionage expert to also review the phishing code and some of the exposed data from the attackers server ppMiller said the attack certainly had the hallmarks of an IRGClinked spearphishing campaign referring to highly targeted email hacks carried out by Irans Islamic Revolutionary Guard Corps IRGC a faction of Irans military known for carrying out cyberattacks Miller pointed to a mix of indications including the international scope of victim targeting credential theft the abuse of popular messaging platforms like WhatsApp and social engineering techniques used in the phishing linkppOn the other hand a financially motivated hacker could use the same stolen Gmail password and twofactor code of another highvalue target such as a company executive to steal proprietary and sensitive business information from their inbox The hacker could also forcibly reset passwords of their victims cryptocurrency and bank accounts to empty their walletsppThe campaigns focus on accessing a victims location and device media however is unusual for a financially motivated actor who might have little use for pictures and audio recordingsppWe asked Ian Campbell a threat researcher at DomainTools which helps analyze public internet records to look at the domain names used in the campaign to help understand when they were first set up and if these domains were connected to any other previously known or identified infrastructure ppCampbell found that while the campaign targeted victims in the midst of Irans ongoing nationwide protests its infrastructure had been set up weeks ago He added that most of the domains connected to this campaign were registered in early November 2025 and one related domain was created months back in August 2025 Campbell described the domains as medium to high risk and said they appear to be linked to a cybercrime operation driven by financial motivationsppAn additional wrinkle is that Irans government has been known to outsource cyberattacks to criminal hacking groups presumably to shield its involvement in hacking operations against its citizens The US Treasury has sanctioned Iranian companies in the past for acting as fronts for Irans IRGC and conducting cyberattacks such as launching targeted phishing and social engineering attacks ppAs Miller notes This drives home the point that clicking on unsolicited WhatsApp links no matter how convincing is a highrisk unsafe practiceppTo securely contact this reporter you can reach out using Signal via the username zackwhittaker1337ppLorenzo FranceschiBicchierai contributed reportingppTopicspp
Security Editor
ppZack Whittaker is the security editor at TechCrunch He also authors the weekly cybersecurity newsletter this week in security ppHe can be reached via encrypted message at zackwhittaker1337 on Signal You can also contact him by email or to verify outreach at zackwhittakertechcrunchcom ppTickets are live at the lowest rates of the year Save up to 680 on your pass nowMeet investors Discover your next portfolio company Hear from 250 tech leaders dive into 200 sessions and explore 300 startups building whats next Dont miss these onetime savingspp Spotify says its best developers havent written a line of code since December thanks to AI
pp With cofounders leaving and an IPO looming Elon Musk turns talk to the moon
pp The first signs of burnout are coming from the people who embrace AI the most
pp MrBeasts company buys Gen Zfocused fintech app Step
pp YouTube TV introduces cheaper bundles including a 65month sports package
pp Discord to roll out age verification next month
pp From Svedka to Anthropic brands make bold plays with AI in Super Bowl ads
pp 2025 TechCrunch Media LLCp
