On Tuesday, UK-based Iranian activist Nariman Gharib tweeted an edited screenshot of a phishing link sent to him via a WhatsApp message.
“Don’t click on suspicious links,” Ghalib warned. The activist, who follows the digital aspects of Iran’s protests from afar, said the campaign targets people like himself who are involved in Iran-related activities.
The hacking operation comes as Iran grapples with its longest nationwide internet shutdown in its history, amid escalating anti-government protests and violent crackdowns across the country. Given that Iran and its closest adversaries are very active in offensive cyberspace (i.e. hacking people), we wanted to know more.
Gharib shared the full phishing link with TechCrunch shortly after posting, allowing us to capture a copy of the source code of the phishing web page used in the attack. He also shared an article summarizing his findings.
TechCrunch analyzed the phishing page’s source code and added information from security researchers to believe that the campaign aimed to steal Gmail and other online credentials, compromise WhatsApp accounts, and conduct surveillance by stealing location data, photos, and voice recordings.
However, it is unclear whether the hackers are government agents, spies, cybercriminals, or all three.
TechCrunch also identified a way to view a real-time copy of all victim responses stored on the attacker’s servers. This copy remains public and can be accessed without a password. This data revealed dozens of victims who unknowingly entered their credentials into phishing sites and were likely subsequently hacked.
The list also includes Middle Eastern scholars working on national security studies. CEO of an Israeli drone manufacturer. A senior Lebanese minister. At least one journalist. People who reside in the United States or have a United States phone number.
TechCrunch is publishing its findings after verifying many of Gharib’s reports. The phishing site is currently closed.
Inside the attack chain
According to Ghalib, the WhatsApp message he received contained a suspicious link that loaded a phishing site on the victim’s browser.
The link indicates that the attackers are relying on a dynamic DNS provider called DuckDNS in their phishing campaigns. A dynamic DNS provider allows you to connect an easy-to-remember web address (in this case, the duckdns.org subdomain) to servers whose IP addresses may change frequently.
It is unclear whether the attackers took down the phishing site themselves or whether they were caught and blocked by DuckDNS. We contacted DuckDNS, but its owner, Richard Harper, requested that we submit a report of abuse on his behalf.
From what we understand, the attackers used DuckDNS to mask the actual location of the phishing page, possibly making it look like a genuine WhatsApp link.
This phishing page was actually hosted on the domain alex-fabow.online, which was first registered in early November 2025. This domain has several other related domains hosted on the same dedicated server, and these domain names follow a pattern that suggests this campaign was also targeting other providers of virtual meeting rooms, such as meet-safe.online and whats-login.online.
We don’t know what happens when a DuckDNS link loads in a victim’s browser, or how the link determines which specific phishing page to load. DuckDNS links can redirect targets to specific phishing pages based on information collected from the user’s device.
Phishing pages are not loaded in your web browser, so you cannot interact with them directly. However, by reading the page’s source code, we were able to better understand how the attack worked.
Gmail credentials and phone number phishing
Depending on the target, tapping a phishing link opens a fake Gmail login page or requests a phone number, starting an attack flow aimed at stealing passwords and two-factor authentication codes.
However, there was at least one flaw in the source code of the phishing page’s code. TechCrunch discovered that by changing the URL of the phishing page in a web browser, it is possible to view a file on the attacker’s server that stores a record of all victims who have entered their credentials.
This file contained over 850 records of information submitted by victims during the attack flow. These records detailed each part of the phishing flow in which the victim engaged. This included a copy of the username and password that the victim had entered into the phishing page, as well as the false entry and its two-factor code, which effectively acted as a keylogger.
The records also included a text string that identified each victim’s user agent, the operating system and browser version used to view the website. This data shows that the campaign was designed to target Windows, macOS, iPhone, and Android users.
The exposed files allow us to follow the attack flow step by step, victim by victim. In one case, the published files show that the victim clicked on a malicious link, which opened a page that resembled a Gmail sign-in window. The logs show victims entering their email credentials several times before entering the correct password.
The recording shows the same victim entering a two-factor authentication code sent via text message. This is because Google sends two-factor codes in a specific format (usually G-xxxxxx, which features a 6-digit numeric code).
WhatsApp hijacking and browser data leakage
Beyond credential theft, the campaign appears to enable surveillance by tricking victims into sharing their device location, audio, and photos.
In Ghalib’s case, tapping the link in the phishing message opened a fake WhatsApp-themed page in his browser and displayed a QR code. This lure is designed to trick targets into scanning a code on their device and accessing a virtual meeting room.
Ghalib said the QR code is generated by the attacker and when scanned or tapped, the victim’s WhatsApp account is instantly linked to the attacker-controlled device, granting access to the victim’s data. This is a long-known attack technique that exploits WhatsApp’s device linking feature, and has been similarly exploited to target users of the messaging app Signal.
We asked Runa Sandvik, founder of Granitt and a security researcher who helps protect the safety of at-risk individuals, to examine a copy of the phishing page’s code to see how it works.
Sandvik discovered that when the page loads, the code triggers a browser notification asking the user for permission to access their location (via navigator.geolocation) and photo and audio (navigator.getUserMedia).
If accepted, the browser instantly sends the person’s coordinates to the attacker, allowing them to locate the victim. The page then continues to share the victim’s location data every few seconds as long as the page is open.
The code also allowed the attacker to use the device’s camera to record bursts of audio and take photos every 3 to 5 seconds. However, we did not see any location data, audio, or images collected on the server.
Thoughts on victimhood, timing, and attribution
We don’t know who is behind this campaign. What is clear is that this campaign was successful in stealing credentials from victims, and phishing campaigns may resurface.
Although the identities of some of the people in this targeted victim population are known, there is not enough information to understand the nature of the campaign. The number of victims hacked by this campaign (as far as we know) is quite small, less than 50. And it has affected not only seemingly ordinary people across the Kurdish community, but also academics, government officials, business leaders, and other dignitaries in the broader Iranian diaspora and Middle East.
There may be many more victims than we realize, and that could help us understand who was targeted and potentially why.
Cases in which this may be a government-sponsored attacker
It is unclear what motivated the hackers to steal people’s credentials and hijack their WhatsApp accounts, but this could also help identify those behind this hacking operation.
For example, a government-backed group could steal the email passwords and two-factor codes of high-value targets such as politicians and journalists, allowing them to download personal and sensitive information.
This may come as no surprise since Iran is currently almost completely cut off from the outside world, making it a challenge to obtain information both domestically and internationally. It may be reasonable for both the Iranian government and foreign governments with an interest in Iranian affairs to want to know with whom and how influential individuals associated with Iran are communicating.
Therefore, given the timing of this phishing campaign and who is being targeted, it may be an espionage operation aimed at gathering information about a limited number of people.
We also asked Gary Miller, a security researcher and mobile espionage expert at Citizen Lab, to examine the phishing code and some of the data leaked from the attackers’ servers.
Mr Miller said the attack was “certain”. [had] Miller cited a highly targeted email hack carried out by the Iranian Islamic Revolutionary Guards Corps (IRGC), a faction of the Iranian military known for carrying out cyber-attacks, and pointed to a variety of indicators, including the international scope of victim targeting, credential theft, abuse of popular messaging platforms such as WhatsApp, and social engineering techniques used in phishing links.
When there is a possibility that the person is acting for financial reasons
Meanwhile, a financially motivated hacker could use the same stolen Gmail password and a two-factor code from another high-value target, such as a company executive, to steal sensitive business information from your inbox. Hackers can also forcefully reset victims’ crypto and bank account passwords and empty their wallets.
However, the campaign’s focus on accessing victims’ location and device media is unusual for a financially motivated attacker, and photos and audio recordings may be rarely used.
We asked Ian Campbell, a threat researcher at DomainTools, who helps analyze public internet records, to examine domain names used in campaigns to understand when they were first established and whether these domains were connected to other previously known or identified infrastructure.
Campbell discovered that while the campaign was targeting victims during ongoing protests across Iran, the infrastructure had been in place weeks earlier. He added that most of the domains associated with this campaign were registered in early November 2025, and one of the associated domains was created several months earlier, in August 2025. Campbell described these domains as medium to high risk and said they appeared to be associated with financially motivated cybercriminal activity.
Even more troubling, the Iranian government is known to outsource cyberattacks to criminal hacking groups, presumably to protect its involvement in hacking operations against its citizens. The U.S. Treasury Department has in the past sanctioned Iranian companies that acted as vanguards for Iran’s Revolutionary Guards and conducted cyberattacks such as targeted phishing and social engineering attacks.
“This shows that clicking on unsolicited WhatsApp links, no matter how convincing, is a risky and unsafe activity,” Miller said.
To contact this reporter securely, use Signal using username zackwhittaker.1337.
Lorenzo Franceschi-Bicchierai contributed reporting.
