**Iranian Activist Uncovers Massive Phishing Campaign Targeting Middle Eastern Victims**
As a digital activist, I’ve been monitoring the online activities surrounding the Iranian protests from afar. Recently, I stumbled upon a brazen phishing campaign targeting high-profile Gmail and WhatsApp users across the Middle East. The sheer scope of the attack is shocking, and it’s left me wondering who’s behind it.
The campaign, which has been operating for weeks, targeted individuals involved in Iran-related activities, including the Iranian diaspora and those with ties to the region. My own WhatsApp account was compromised when I received a suspicious link from an unknown number. The message read: “Don’t click on suspicious links.” Little did I know, that’s exactly what I was being tricked into doing.
The phishing link led to a fake WhatsApp login page designed to steal Gmail and other online credentials, as well as compromise WhatsApp accounts. The attackers used a dynamic DNS supplier called DuckDNS to mask the true location of the phishing page, making it appear as a real WhatsApp link.
**A Closer Look at the Attack Chain**
I shared the full phishing link with TechCrunch, which allowed our team to analyze the source code of the phishing page. What we found was a sophisticated operation designed to steal sensitive information. The phishing page was hosted at alex-fabow.online, a website registered in early November 2025.
The phishing page was designed to steal not only Gmail and other online credentials but also compromise WhatsApp accounts. It even tricked victims into sharing their location, audio, and photos from their device. In my case, tapping on the link opened a fake WhatsApp-themed page in my browser, which displayed a QR code. Scanning or tapping the code would have linked my WhatsApp account to a device controlled by the attacker, granting them access to my data.
**Government-Backed or Financially Motivated?**
It’s unclear who’s behind this campaign, but the targeting of high-profile individuals and the use of sophisticated techniques suggest that it may be a government-backed actor. A government-backed group may want to steal the email password and two-factor codes of a high-value target, such as a politician or journalist, to obtain private and confidential information.
On the other hand, a financially motivated actor may use the stolen credentials to steal proprietary and sensitive business information from a victim’s inbox or forcibly reset passwords to empty their wallets. However, the targeting of location and device media is unusual for a financially motivated actor, who may have little use for photos and audio recordings.
**The Campaign’s Infrastructure**
The domains used in the campaign were registered in early November 2025, and many of the domains appear to be linked to a cybercrime operation driven by financial motivations. Ian Campbell, a threat researcher at DomainTools, discovered that the domains were set up weeks before the campaign began, suggesting that the attackers had been planning this operation in advance.
The Iranian government has been known to outsource cyberattacks to criminal hacking groups, making it difficult to pinpoint the exact origin of the campaign.
**A Word of Caution**
As Iranian security expert Gary Miller notes, “This drives home the point that clicking on unsolicited WhatsApp links, regardless of how convincing, is a high-risk, unsafe practice.”
**The Potential Impact**
This campaign highlights the importance of being cautious when clicking on suspicious links, especially in times of crisis or conflict. With many countries in the Middle East experiencing internet shutdowns and unrest, the risk of phishing campaigns is higher than ever.
**Staying Safe Online**
To avoid falling victim to similar phishing campaigns, follow these best practices:
* Be cautious when clicking on links, especially if they’re unsolicited or seem suspicious
* Use two-factor authentication to protect your accounts
* Use a reputable antivirus software to scan your device for malware
* Be wary of phishing links that ask for sensitive information, such as login credentials or financial information
* Use a VPN to encrypt your internet traffic when browsing the web
Stay safe online, and stay informed about the latest cybersecurity threats!
