On Tuesday, U.K.-based Iranian activist Nariman Gharib tweeted redacted screenshots of a phishing link sent to him via a WhatsApp message.

“Do not click on suspicious links,” Gharib warned. The activist, who is following the digital side of the Iranian protests from afar, said the campaign targeted people involved in Iran-related activities, such as himself.

This hacking campaign comes as Iran grapples with the longest nationwide internet shutdown in its history, as anti-government protests — and violent crackdowns — rage across the country. Given that Iran and its closest adversaries are highly active in the offensive cyberspace (read: hacking people), we wanted to learn more. 

Gharib shared the full phishing link with TechCrunch soon after his post, allowing us to capture a copy of the source code of the phishing web page used in the attack. He also shared a write-up of his findings.

TechCrunch analyzed the source code of the phishing page, and with added input from security researchers, we believe the campaign aimed to steal Gmail and other online credentials, compromise WhatsApp accounts, and conduct surveillance by stealing location data, photos, and audio recordings. 

It is unclear, however, if the hackers were government-linked agents, spies, or cybercriminals — or all three. 

TechCrunch also identified a way to view a real-time copy of all the victims’ responses saved on the attacker’s server, which was left exposed and accessible without a password. This data revealed dozens of victims who had unwittingly entered their credentials into the phishing site and were subsequently likely hacked.

The list includes a Middle Eastern academic working in national security studies; the boss of an Israeli drone maker; a senior Lebanese cabinet minister; at least one journalist; and people in the United States or with U.S. phone numbers. 

TechCrunch is publishing our findings after validating much of Gharib’s report. The phishing site is now down.

Inside the attack chain

According to Gharib, the WhatsApp message he received contained a suspicious link, which loaded a phishing site in the victim’s browser.

The link shows that the attackers relied on a dynamic DNS provider called DuckDNS for their phishing campaign. Dynamic DNS providers allow people to connect easy-to-remember web addresses — in this case, a duckdns.org subdomain — to a server where its IP address might frequently change. 

It’s not clear whether the attackers shut down the phishing site of their own accord or were caught and cut off by DuckDNS. We reached out to DuckDNS with inquiries, but its owner Richard Harper requested that we send an abuse report instead.

From what we understand, the attackers used DuckDNS to mask the real location of the phishing page, presumably to make it look like a genuine WhatsApp link. 

The phishing page was actually hosted at alex-fabow.online, a domain that was first registered in early November 2025. This domain has several other, related domains hosted on the same dedicated server, and these domain names follow a pattern that suggests the campaign also targeted other providers of virtual meeting rooms, like meet-safe.online and whats-login.online.

We’re not sure what happens while the DuckDNS link loads in the victim’s browser, or how the link determines which specific phishing page to load. It may be that the DuckDNS link redirects the target to a specific phishing page based on information it gleans from the user’s device.

The phishing page would not load in our web browser, preventing us from directly interacting with it. Reading the source code of the page, however, allowed us to better understand how the attack worked.

Gmail credential and phone number phishing

Depending on the target, tapping on a phishing link would open a fake Gmail login page, or ask for their phone number, and begin an attack flow aimed at stealing their password and two-factor authentication code. 

But the source code of the phishing page code had at least one flaw: TechCrunch found that by modifying the phishing page’s URL in our web browser, we could view a file on the attacker’s servers that was storing records of every victim who had entered their credentials. 

The file contained over 850 records of information submitted by victims during the attack flow. These records detailed each part of the phishing flow that the victim was in. This included copies of the usernames and passwords that victims had entered on the phishing page, as well as incorrect entries and their two-factor codes, effectively serving as a keylogger. 

The records also contained each victim’s user agent, a string of text that identifies the operating system and browser versions used to view websites. This data shows that the campaign was designed to target Windows, macOS, iPhone, and Android users.

The exposed file allowed us to follow the attack flow step-by-step for each victim. In one case, the exposed file shows a victim clicking on a malicious link, which opened a page that looked like a Gmail sign-in window. The log shows the victim entering their email credentials several times until they enter the correct password. 

The records show the same victim entering their two-factor authentication code sent to them by text message. We can tell this because Google sends two-factor codes in a specific format (usually G-xxxxxx, featuring a six-digit numerical code).

WhatsApp hijack and browser data exfiltration

Beyond credential theft, this campaign also seemed to enable surveillance by tricking victims into sharing their location, audio, and pictures from their device.

In Gharib’s case, tapping on the link in the phishing message opened a fake WhatsApp-themed page in his browser, which displayed a QR code. The lure aims to trick the target into scanning the code on their device, purportedly to access a virtual meeting room.

Gharib said the QR code was generated by the attacker, and scanning or tapping it would instantly link the victim’s WhatsApp account to a device controlled by the attacker, granting them access to the victim’s data. This is a long-known attack technique that abuses the WhatsApp device linking feature and has been similarly abused to target users of messaging app Signal.

We asked Granitt founder Runa Sandvik, a security researcher who works to help secure at-risk individuals, to examine a copy of the phishing page code and see how it functions. 

Sandvik found that when the page loaded, the code would trigger a browser notification asking the user for permission to access their location (via navigator.geolocation), as well as photos and audio (navigator.getUserMedia). 

If accepted, the browser would immediately send the person’s coordinates to the attacker, capable of identifying the location of the victim. The page would then continue to share the victim’s location data every few seconds, for as long as the page remained open. 

The code also allowed the attackers to record bursts of audio and snap photos every three to five seconds using the device camera. However, we did not see any location data, audio, or images that had been collected on the server.

Thoughts on victims, timing, and attribution

We do not know who is behind this campaign. What is clear is that the campaign was successful in stealing credentials from victims, and it is possible that the phishing campaign could resurface. 

Despite knowing the identities of some of the people in this cluster of victims who were targeted, we don’t have enough information to understand the nature of the campaign. The number of victims hacked by this campaign (that we know of) is fairly low — fewer than 50 individuals — and affects seemingly ordinary people across the Kurdish community, as well as academics, government officials, business leaders, and other senior figures across the broader Iranian diaspora and Middle East.

It may be that there are far more victims than we are aware of, which could help us understand who was targeted and potentially why.

The case that this could be a government-backed actor

It is unclear what motivated the hackers to steal people’s credentials and hijack their WhatsApp accounts, which could also help identify who is behind this hacking campaign.

A government-backed group, for example, might want to steal the email password and two-factor codes of a high-value target, like a politician or journalist, so they can download private and confidential information.

That could make sense since Iran is currently almost entirely cut off from the outside world, and getting information in or out of the country presents a challenge. Both the Iranian government, or a foreign government with interests in Iran’s affairs, could plausibly want to know who influential Iranian-linked individuals are communicating with, and what about.

As such, the timing of this phishing campaign and who it appears to be targeting could point to an espionage campaign aimed at trying to collect information about a narrow list of people.

We asked Gary Miller, a security researcher at Citizen Lab and mobile espionage expert, to also review the phishing code and some of the exposed data from the attacker’s server. 

Miller said the attack “certainly [had] the hallmarks of an IRGC-linked spearphishing campaign,” referring to highly targeted email hacks carried out by Iran’s Islamic Revolutionary Guard Corps (IRGC), a faction of Iran’s military known for carrying out cyberattacks. Miller pointed to a mix of indications, including the international scope of victim targeting, credential theft, the abuse of popular messaging platforms like WhatsApp, and social engineering techniques used in the phishing link.

The case that this might be a financially motivated actor

On the other hand, a financially motivated hacker could use the same stolen Gmail password and two-factor code of another high-value target, such as a company executive, to steal proprietary and sensitive business information from their inbox. The hacker could also forcibly reset passwords of their victim’s cryptocurrency and bank accounts to empty their wallets.

The campaign’s focus on accessing a victim’s location and device media, however, is unusual for a financially motivated actor, who might have little use for pictures and audio recordings.

We asked Ian Campbell, a threat researcher at DomainTools, which helps analyze public internet records, to take a look at the domain names used in the campaign to help understand when they were first set up, and if these domains were connected to any other previously known or identified infrastructure. 

Campbell found that while the campaign targeted victims in the midst of Iran’s ongoing nationwide protests, its infrastructure had been set up weeks ago. He added that most of the domains connected to this campaign were registered in early November 2025, and one related domain was created months back in August 2025. Campbell described the domains as medium-to-high risk, and said they appear to be linked to a cybercrime operation driven by financial motivations.

An additional wrinkle is that Iran’s government has been known to outsource cyberattacks to criminal hacking groups, presumably to shield its involvement in hacking operations against its citizens. The U.S. Treasury has sanctioned Iranian companies in the past for acting as fronts for Iran’s IRGC and conducting cyberattacks, such as launching targeted phishing and social engineering attacks. 

As Miller notes, “This drives home the point that clicking on unsolicited WhatsApp links, no matter how convincing, is a high-risk, unsafe practice.”

To securely contact this reporter, you can reach out using Signal via the username: zackwhittaker.1337

Lorenzo Franceschi-Bicchierai contributed reporting.