At a Glance
- Attackers used WhatsApp phishing links to harvest Gmail and WhatsApp credentials
- Over 850 victim records exposed on an unprotected attacker server
- Targets included Middle Eastern academic, Israeli drone exec, Lebanese minister, U.S. numbers
Why it matters: The breach shows how state-aligned or criminal actors can weaponize messaging apps to spy on high-profile figures during Iran’s internet blackout.
Hackers launched a phishing blitz via WhatsApp that stole Gmail passwords, hijacked WhatsApp accounts, and siphoned location, photos, and audio from victims in the middle of Iran’s longest-ever internet shutdown, according to code reviewed by News Of Philadelphia after activist Nariman Gharib shared the malicious link.
How the phishing trap worked
A message sent to Gharib on Tuesday carried a DuckDNS link that redirected to a fake WhatsApp or Gmail page. The attackers registered the landing domain alex-fabow.online in early November 2025 and paired it with related domains such as meet-safe.online and whats-login.online to spoof virtual-meeting logins.
- Targets saw a Gmail login or a WhatsApp QR code
- Scanning the QR code linked the victim’s WhatsApp to an attacker device
- A browser prompt requested access to location, camera, and microphone
- If granted, the page streamed coordinates every few seconds and snapped photos every 3-5 seconds
850-plus victim entries sat in an unprotected text file on the server, exposing usernames, passwords, mistyped credentials, and two-factor codes in real time. The log acted as a keylogger, revealing the exact step each victim reached in the hijack flow.
Victims span governments and diaspora
The exposed file named dozens of compromised accounts, including:
- A Middle Eastern academic specializing in national security
- The CEO of an Israeli drone manufacturer
- A senior Lebanese cabinet minister
- At least one journalist
- Multiple people with U.S. phone numbers
Most victims appear to be ordinary members of the Kurdish community plus business and government figures tied to Iranian activities. Fewer than 50 have been identified so far, but the attacker infrastructure hints at wider targeting.
Attribution unclear: spies, criminals, or both?
No group has claimed the campaign. Analysts see evidence pointing both ways:
Signs of state sponsorship
- Gary Miller, security researcher at Citizen Lab, noted the international scope, credential theft, WhatsApp abuse, and social engineering match IRGC-linked spear-phishing tactics
- With Iran cut off from the global internet, intelligence services could benefit from reading diaspora communications
Signs of cyber-crime
- Ian Campbell, threat researcher at DomainTools, found domains registered weeks before Iran’s protests, a pattern typical of financially motivated actors
- Tehran has historically outsourced attacks to criminal proxies to hide state involvement
The mixed motives leave the campaign’s ultimate purpose unresolved.
Key takeaways
- Never click unsolicited WhatsApp links, even if they appear to come from a contact
- Dynamic DNS services like DuckDNS can mask malicious servers-DuckDNS did not respond to News Of Philadelphia‘s inquiry
- Exposed attacker logs can offer investigators a rare step-by-step view of a phishing flow, highlighting how easily credentials, 2FA codes, and private media can be harvested
The phishing site is now offline, but researchers warn the same infrastructure could resurface in future waves.
