How a hacking campaign targeted high-profile Gmail and WhatsApp users across the Middle East

On Tuesday, U.K.-based Iranian activist Nariman Gharib tweeted redacted screenshots of a phishing link sent to him via a WhatsApp message. “Do not click on suspicious links,” Gharib warned. The activist, who is following the digital side of the Iranian protests from afar, said the campaign targeted people involved in Iran-related activities, such as himself. This hacking campaign comes as Iran grapples with the longest nationwide internet shutdown in its history , as anti-government protests - and violent crackdowns - rage across the country. Given that Iran and its closest adversaries are highly active in the offensive cyberspace (read: hacking people), we wanted to learn more. Gharib shared the full phishing link with TechCrunch soon after his post, allowing us to capture a copy of the source code of the phishing web page used in the attack. He also shared a write-up of his findings . TechCrunch analyzed the source code of the phishing page, and with added input from security researchers, we believe the campaign aimed to steal Gmail and other online credentials, compromise WhatsApp accounts, and conduct surveillance by stealing location data, photos, and audio recordings. It is unclear, however, if the hackers were government-linked agents, spies, or cybercriminals - or all three. TechCrunch also identified a way to view a real-time copy of all the victims’ responses saved on the attacker’s server, which was left exposed and accessible without a password. This data revealed dozens of victims who had unwittingly entered their credentials into the phishing site and were subsequently likely hacked. The list includes a Middle Eastern academic working in national security studies; the boss of an Israeli drone maker; a senior Lebanese cabinet minister; at least one journalist; and people in the United States or with U.S. phone numbers. TechCrunch is publishing our findings after validating much of Gharib’s report. The phishing site is now down. Inside the attack chain According to Gharib, the WhatsApp message he received contained a suspicious link, which loaded a phishing site in the victim’s browser. Image Credits: Nariman Gharib The link shows that the attackers relied on a dynamic DNS provider called DuckDNS for their phishing campaign. Dynamic DNS providers allow people to connect easy-to-remember web addresses - in this case, a duckdns.org subdomain - to a server where its IP address might frequently change. It’s not clear if the attackers shut down the phishing site on their own accord, or were caught and cut off by DuckDNS. We reached out to DuckDNS with inquiries, but its owner Richard Harper requested that we send an abuse report instead. From what we understand, the attackers used DuckDNS to mask the real location of the phishing page, presumably to make it look like a genuine WhatsApp link. The phishing page was actually hosted at alex-fabow.online , a domain that was first registered in early November 2025. This domain has several other, related domains hosted on the same dedicated server, and these domain names follow a pattern that suggests that the campaign...

Preview: ~500 words