How a hacking campaign targeted high-profile Gmail and WhatsApp users across the Middle East

On Tuesday, UK-based Iranian activist Nariman Gharib shared redacted screenshots of a phishing link he received via WhatsApp.
“Do not click on suspicious links,” Gharib warned, saying the campaign appeared to target people involved in Iran-related political and civil activity.

URGENT SECURITY ALERT:

Iranian Revolutionary Guards intelligence has initiated a phishing campaign targeting individuals abroad who are involved in Iran-related activities. The current attack specifically targets WhatsApp users. Do not click on suspicious links. pic.twitter.com/KLob2LrfYG — Nariman Gharib (@NarimanGharib) January 13, 2026

The hacking activity surfaced as Iran faces its most extended nationwide internet shutdown on record, amid ongoing anti-government protests and a violent crackdown. Given Iran’s history of cyber operations and regional tensions, the campaign raised immediate concerns.

Gharib shared the full phishing link with TechCrunch, enabling an analysis of the phishing page’s source code. He also published a detailed technical write-up of his findings. Based on that analysis and input from security researchers, the campaign appeared designed to steal Google Gmail credentials, compromise WhatsApp accounts, and enable surveillance by collecting victims’ location data, photos, and audio recordings.

It remains unclear who was behind the campaign — whether state-linked actors, intelligence operatives, cybercriminals, or a combination of the three. TechCrunch also identified an exposed server that allowed real-time viewing of victims’ submitted data without authentication. The exposed records revealed dozens of victims who had unknowingly entered credentials into the phishing site, likely resulting in account compromise.

Those affected included a Middle Eastern academic specialising in national security, the head of an Israeli drone company, a senior Lebanese cabinet minister, at least one journalist, and several individuals in the United States or using US phone numbers. The phishing infrastructure has since been taken offline.

Inside the attack chain

According to Gharib, the WhatsApp message contained a suspicious link that opened a phishing site in the victim’s browser. The attackers relied on DuckDNS, a service that allows attackers to mask the actual location of malicious servers by using simple, changing web addresses.

The phishing content was hosted on the domains alex-fabow and onlinee, registered in early November 2025. Several related domains hosted on the same server suggested the campaign also impersonated virtual meeting platforms, including MeetSafe. online and whats-login .online. It remains unclear how DuckDNS links redirected victims or how it determined which phishing page to display.

While the phishing page would not load directly during testing, reviewing the source code provided insight into how the attack worked.

Gmail credential theft and phone number harvesting

Depending on the target, clicking the phishing link opened a fake Gmail login page or prompted the user to enter a phone number. The flow was designed to steal passwords and two-factor authentication codes.

A flaw in the phishing setup exposed a server-side file containing records from more than 850 victims. These logs detailed each step of the phishing process, including usernames, passwords, incorrect attempts, and two-factor authentication codes — effectively acting as a keylogger.

The records also included user-agent data, indicating that the campaign targeted users on Windows, macOS, iOS, and Android devices. In several cases, victims repeatedly attempted to log in until the correct credentials were entered, then submitted Google two-factor codes, typically formatted as “G-XXXXXX.”

WhatsApp hijacking and device surveillance

Beyond credential theft, the campaign also attempted to enable direct surveillance. In Gharib’s case, the phishing link opened a fake WhatsApp-themed page displaying a QR code. Victims were lured to scan the code, which linked their WhatsApp account to a device controlled by the attacker.

This technique abuses WhatsApp’s device-linking feature, a known attack method that has also been used against Signal users. Scanning the QR code would give attackers access to the victim’s WhatsApp data.

Security researcher Runa Sandvik, founder of Granitt, reviewed the phishing code and found that it also requested browser permissions to access location data, photos, and audio. If approved, the victim’s location would be transmitted repeatedly, while the code could trigger periodic photo captures and audio recordings. TechCrunch did not find evidence that such media was ultimately stored on the exposed server.

Attribution: espionage or financial crime?

The identity and motivation of the attackers remain uncertain. Fewer than 50 confirmed victims were identified, spanning academics, officials, business leaders, journalists, and members of the Iranian diaspora across the Middle East and beyond.

One possibility is a government-backed espionage operation. The timing, combined with Iran’s internet shutdown and the focus on surveillance, could indicate intelligence gathering. Gary Miller of Citizen Lab said the campaign showed characteristics consistent with spearphishing operations previously linked to Iran’s Islamic Revolutionary Guard Corps, including targeted victims, credential theft, and abuse of messaging platforms.

Another possibility is financial motivation, as stolen Gmail credentials could be used to access sensitive corporate or financial information. However, experts noted that location tracking and media collection are unusual for purely profit-driven cybercrime.

Threat researcher Ian Campbell of DomainTools analysed the domains used in the campaign and found they were registered weeks before protests escalated, suggesting planning. He described the infrastructure as medium- to high-risk and potentially linked to financially motivated cybercrime, though attribution remains inconclusive.

Iran has previously been accused of outsourcing cyber operations to criminal groups to obscure statUSvolvement. The US Treasury has sanctioned Iranian-linked entities in the past for conducting cyberattacks on behalf of the state.

As Miller noted, the campaign reinforces a key lesson: clicking unsolicited WhatsApp links — no matter how convincing — carries significant risk.

Lorenzo Franceschi-Bicchierai contributed reporting.