How a hacking campaign targeted high-profile Gmail and WhatsApp users across the Middle East

A recent phishing campaign has alarmingly targeted prominent individuals in the Middle East, particularly those involved in activities related to Iran. U.K.-based Iranian activist Nariman Gharib brought attention to this issue by sharing redacted screenshots of a phishing link he received via WhatsApp. He cautioned others against clicking on suspicious links, especially given the ongoing internet shutdown in Iran amidst anti-government protests. Gharib, who is closely monitoring the digital landscape surrounding these protests, revealed that the campaign aims to compromise accounts on platforms like Gmail and WhatsApp. Following his tweet, Gharib provided TechCrunch with the phishing link, which allowed researchers to analyze the source code of the malicious site. The investigation uncovered that the attackers were likely seeking to steal online credentials and conduct surveillance by accessing location data, photos, and audio recordings from victims’ devices. TechCrunch's analysis highlighted a troubling aspect of the attack: an exposed server storing real-time copies of victims' responses, which included sensitive information from dozens of individuals who fell for the phishing trap. Notable targets included a Middle Eastern academic, a senior Lebanese cabinet minister, and various Americans. This breach underscores the vulnerability of individuals involved in politically sensitive activities. The phishing link reportedly utilized a dynamic DNS provider called DuckDNS to mask its true origin, further complicating efforts to trace the attackers. The phishing site was hosted under a domain registered in early November 2025, featuring a pattern of related domains aimed at deceiving users into providing personal information. The phishing scheme employed various tactics to manipulate victims. For instance, the page would mimic a Gmail login screen, prompting users to enter their credentials and two-factor authentication codes. Additionally, the code contained a flaw that allowed TechCrunch to access a log of over 850 entries documenting each user's interactions with the phishing site, effectively acting as a keylogger. The campaign also employed social engineering techniques, such as presenting a QR code designed to link victims' WhatsApp accounts to a device controlled by the attackers. Security experts have noted that this method exploits WhatsApp's device linking feature, which has been used in similar attacks. Security researchers have speculated on the motivations behind this campaign. Some suggest it may be linked to state-sponsored espionage, particularly given the timing with ongoing protests in Iran. The focus on accessing location and media data raises questions about the attackers' objectives, as traditional financial motivations would not typically include such invasive actions. Ultimately, this incident serves as a stark reminder of the dangers of unsolicited links on messaging platforms. Experts emphasize the importance of vigilance when encountering suspicious communications, especially in politically charged environments. As investigations continue, the identities and intentions of the attackers remain uncertain, but the ramifications of this campaign are significant for the targeted individuals and the broader context of cybersecurity in the region.