On Tuesday, U.Ok.-based Iranian activist Nariman Gharib tweeted redacted screenshots of a phishing hyperlink despatched to him by way of a WhatsApp message.
“Don’t click on on suspicious hyperlinks,” Gharib warned. The activist, who’s following the digital facet of the Iranian protests from afar, mentioned the marketing campaign focused folks concerned in Iran-related actions, reminiscent of himself.
This hacking marketing campaign comes as Iran grapples with the longest nationwide web shutdown in its historical past, as anti-government protests — and violent crackdowns — rage throughout the nation. Provided that Iran and its closest adversaries are extremely lively within the offensive our on-line world (learn: hacking folks), we wished to study extra.
Gharib shared the total phishing hyperlink with TechCrunch quickly after his put up, permitting us to seize a replica of the supply code of the phishing net web page used within the assault. He additionally shared a write-up of his findings.
TechCrunch analyzed the supply code of the phishing web page, and with added enter from safety researchers, we consider the marketing campaign aimed to steal Gmail and different on-line credentials, compromise WhatsApp accounts, and conduct surveillance by stealing location information, photographs, and audio recordings.
It’s unclear, nevertheless, if the hackers have been government-linked brokers, spies, or cybercriminals — or all three.
TechCrunch additionally recognized a option to view a real-time copy of all of the victims’ responses saved on the attacker’s server, which was left uncovered and accessible and not using a password. This information revealed dozens of victims who had unwittingly entered their credentials into the phishing website and have been subsequently probably hacked.
The record features a Center Jap educational working in nationwide safety research; the boss of an Israeli drone maker; a senior Lebanese cupboard minister; at the least one journalist; and other people in the US or with U.S. telephone numbers.
TechCrunch is publishing our findings after validating a lot of Gharib’s report. The phishing website is now down.
Contained in the assault chain
In accordance with Gharib, the WhatsApp message he acquired contained a suspicious hyperlink, which loaded a phishing website within the sufferer’s browser.
The hyperlink exhibits that the attackers relied on a dynamic DNS supplier known as DuckDNS for his or her phishing marketing campaign. Dynamic DNS suppliers enable folks to attach easy-to-remember net addresses — on this case, a duckdns.org subdomain — to a server the place its IP tackle may regularly change.
It’s not clear whether or not the attackers shut down the phishing website of their very own accord or have been caught and lower off by DuckDNS. We reached out to DuckDNS with inquiries, however its proprietor Richard Harper requested that we ship an abuse report as a substitute.
From what we perceive, the attackers used DuckDNS to masks the actual location of the phishing web page, presumably to make it appear like a real WhatsApp hyperlink.
The phishing web page was truly hosted at alex-fabow.on-line, a website that was first registered in early November 2025. This area has a number of different, associated domains hosted on the identical devoted server, and these domains comply with a sample that implies the marketing campaign additionally focused different suppliers of digital assembly rooms, like meet-safe.on-line and whats-login.on-line.
We’re unsure what occurs whereas the DuckDNS hyperlink hundreds within the sufferer’s browser, or how the hyperlink determines which particular phishing web page to load. It could be that the DuckDNS hyperlink redirects the goal to a particular phishing web page based mostly on info it gleans from the person’s gadget.
The phishing web page wouldn’t load in our net browser, stopping us from straight interacting with it. Studying the supply code of the web page, nevertheless, allowed us to raised perceive how the assault labored.
Gmail credential and telephone quantity phishing
Relying on the goal, tapping on a phishing hyperlink would open a pretend Gmail login web page, or ask for his or her telephone quantity, and start an assault movement geared toward stealing their password and two-factor authentication code.
However the supply code of the phishing web page code had at the least one flaw: TechCrunch discovered that by modifying the phishing web page’s URL in our net browser, we may view a file on the attacker’s servers that was storing data of each sufferer who had entered their credentials.
The file contained over 850 data of knowledge submitted by victims in the course of the assault movement. These data detailed every a part of the phishing movement that the sufferer was in. This included copies of the usernames and passwords that victims had entered on the phishing web page, in addition to incorrect entries and their two-factor codes, successfully serving as a keylogger.
The data additionally contained every sufferer’s person agent, a string of textual content that identifies the working system and browser variations used to view web sites. This information exhibits that the marketing campaign was designed to focus on Home windows, macOS, iPhone, and Android customers.
The uncovered file allowed us to comply with the assault movement step-by-step for every sufferer. In a single case, the uncovered file exhibits a sufferer clicking on a malicious hyperlink, which opened a web page that seemed like a Gmail sign-in window. The log exhibits the sufferer coming into their electronic mail credentials a number of instances till they enter the proper password.
The data present the identical sufferer coming into their two-factor authentication code despatched to them by textual content message. We will inform this as a result of Google sends two-factor codes in a particular format (normally G-xxxxxx, that includes a six-digit numerical code).
WhatsApp hijack and browser information exfiltration
Past credential theft, this marketing campaign additionally appeared to allow surveillance by tricking victims into sharing their location, audio, and photos from their gadget.
In Gharib’s case, tapping on the hyperlink within the phishing message opened a pretend WhatsApp-themed web page in his browser, which displayed a QR code. The lure goals to trick the goal into scanning the code on their gadget, purportedly to entry a digital assembly room.
Gharib mentioned the QR code was generated by the attacker, and scanning or tapping it could immediately hyperlink the sufferer’s WhatsApp account to a tool managed by the attacker, granting them entry to the sufferer’s information. This can be a long-known assault method that abuses the WhatsApp gadget linking characteristic and has been equally abused to goal customers of messaging app Sign.
We requested Granitt founder Runa Sandvik, a safety researcher who works to assist safe at-risk people, to look at a replica of the phishing web page code and see the way it capabilities.
Sandvik discovered that when the web page loaded, the code would set off a browser notification asking the person for permission to entry their location (by way of navigator.geolocation), in addition to photographs and audio (navigator.getUserMedia).
If accepted, the browser would instantly ship the individual’s coordinates to the attacker, able to figuring out the placement of the sufferer. The web page would then proceed to share the sufferer’s location information each few seconds, for so long as the web page remained open.
The code additionally allowed the attackers to document bursts of audio and snap photographs each three to 5 seconds utilizing the gadget digicam. Nonetheless, we didn’t see any location information, audio, or photographs that had been collected on the server.
Ideas on victims, timing, and attribution
We have no idea who’s behind this marketing campaign. What is evident is that the marketing campaign was profitable in stealing credentials from victims, and it’s attainable that the phishing marketing campaign may resurface.
Regardless of figuring out the identities of a few of the folks on this cluster of victims who have been focused, we don’t have sufficient info to grasp the character of the marketing campaign. The variety of victims hacked by this marketing campaign (that we all know of) is pretty low — fewer than 50 people — and impacts seemingly odd folks throughout the Kurdish group, in addition to teachers, authorities officers, enterprise leaders, and different senior figures throughout the broader Iranian diaspora and Center East.
It could be that there are much more victims than we’re conscious of, which may assist us perceive who was focused and doubtlessly why.
The case that this may very well be a government-backed actor
It’s unclear what motivated the hackers to steal folks’s credentials and hijack their WhatsApp accounts, which may additionally assist establish who’s behind this hacking marketing campaign.
A government-backed group, for instance, may need to steal the e-mail password and two-factor codes of a high-value goal, like a politician or journalist, to allow them to obtain non-public and confidential info.
That might make sense since Iran is at present virtually solely lower off from the surface world, and getting info in or in a foreign country presents a problem. Each the Iranian authorities, or a overseas authorities with pursuits in Iran’s affairs, may plausibly need to know who influential Iranian-linked people are speaking with, and what about.
As such, the timing of this phishing marketing campaign and who it seems to be concentrating on may level to an espionage marketing campaign geared toward attempting to gather details about a slender record of individuals.
We requested Gary Miller, a safety researcher at Citizen Lab and cell espionage professional, to additionally evaluation the phishing code and a few of the uncovered information from the attacker’s server.
Miller mentioned the assault “actually [had] the hallmarks of an IRGC-linked spearphishing marketing campaign,” referring to extremely focused electronic mail hacks carried out by Iran’s Islamic Revolutionary Guard Corps (IRGC), a faction of Iran’s navy identified for finishing up cyberattacks. Miller pointed to a mixture of indications, together with the worldwide scope of sufferer concentrating on, credential theft, the abuse of fashionable messaging platforms like WhatsApp, and social engineering methods used within the phishing hyperlink.
The case that this is likely to be a financially motivated actor
Alternatively, a financially motivated hacker may use the identical stolen Gmail password and two-factor code of one other high-value goal, reminiscent of an organization government, to steal proprietary and delicate enterprise info from their inbox. The hacker may additionally forcibly reset passwords of their sufferer’s cryptocurrency and financial institution accounts to empty their wallets.
The marketing campaign’s deal with accessing a sufferer’s location and gadget media, nevertheless, is uncommon for a financially motivated actor, who might need little use for photos and audio recordings.
We requested Ian Campbell, a risk researcher at DomainTools, which helps analyze public web data, to have a look at the domains used within the marketing campaign to assist perceive after they have been first arrange, and if these domains have been related to every other beforehand identified or recognized infrastructure.
Campbell discovered that whereas the marketing campaign focused victims within the midst of Iran’s ongoing nationwide protests, its infrastructure had been arrange weeks in the past. He added that many of the domains related to this marketing campaign have been registered in early November 2025, and one associated area was created months again in August 2025. Campbell described the domains as medium to excessive threat and mentioned they seem like linked to a cybercrime operation pushed by monetary motivations.
A further wrinkle is that Iran’s authorities has been identified to outsource cyberattacks to prison hacking teams, presumably to protect its involvement in hacking operations in opposition to its residents. The U.S. Treasury has sanctioned Iranian corporations prior to now for performing as fronts for Iran’s IRGC and conducting cyberattacks, reminiscent of launching focused phishing and social engineering assaults.
As Miller notes, “This drives house the purpose that clicking on unsolicited WhatsApp hyperlinks, irrespective of how convincing, is a high-risk, unsafe follow.”
To securely contact this reporter, you possibly can attain out utilizing Sign by way of the username: zackwhittaker.1337
Lorenzo Franceschi-Bicchierai contributed reporting.