Emerging ThreatsMalware & Ransomware

Vietnamese Hackers Exploit Google AppSheet in 30,000-Account Facebook Phishing Spree

Analyst 207||Source: TheHackerNews
Concerned person checks laptop in small workspace, conveying vulnerability.

Roughly 30,000 Facebook accounts have been compromised in a phishing operation that used a Google AppSheet address as a delivery relay, researchers say.

How Guardio tracked "AccountDumpling" and the AppSheet relay

Security researcher Shaked Chen, reporting for Guardio and shared with The Hacker News, has codenamed the activity "AccountDumpling." Chen described the operation as more than a single phishing kit: "It was a living operation with real-time operator panels, advanced evasion, continuous evolution and a criminal-commercial loop that quietly feeds on the same accounts it helps steal back." The campaign relied on emails sent from a Google AppSheet address ("noreply@appsheet.com"), a technique that let the messages bypass spam filters and reach Facebook Business account owners.

Four distinct phishing clusters and the data they harvested

Guardio identified four main clusters of lures and hosting techniques used to harvest credentials and personal data:

  • Netlify-hosted Facebook help center pages: These pages enabled account takeover and collected dates of birth, phone numbers, and government-issued ID photos. The harvested data was forwarded to attacker-controlled Telegram channels.
  • Blue badge evaluation lures via Vercel: Victims were steered to "Security Check" or "Meta | Privacy Center" pages gated by a bogus CAPTCHA. A forced retry redirected users to phishing landing pages that collected contact details, business information, credentials (after the forced retry), and two-factor authentication codes, with exfiltration to Telegram.
  • Google Drive-hosted PDFs that led to credential capture: PDFs masquerading as account verification instructions directed users to submit passwords, 2FA codes, government ID photos, and browser screenshots captured through html2canvas. The PDF documents were generated using a free Canva account.
  • Fake job offers impersonating large brands: Impersonations of WhatsApp, Meta, Adobe, Pinterest, Apple, and Coca‑Cola were used to build rapport and ask targets to join a call or continue discussions on attacker-controlled sites.

Who was hit, and how stolen accounts were monetized

Guardio's analysis found the Telegram channels tied to the first three clusters contained about 30,000 victim records. Most victims were located in the U.S., Italy, Canada, the Philippines, India, Spain, Australia, the U.K., Brazil, and Mexico; many of those accounts' legitimate owners had been locked out. The scheme then sold the stolen Facebook accounts through an illicit storefront operated by the same threat actors, creating a criminal-commercial loop between theft and resale.

Evidence linking the operation to Vietnam

Forensic traces in the campaign point to a Vietnamese-linked operation. The "smoking gun" cited by Guardio came from PDF metadata created as part of the Google Drive-hosted PDF cluster: files showed an author name listed as "PHẠM TÀI TÂN." Open-source follow-ups led researchers to a website, "phamtaitan[.]vn," that offers digital marketing services. A post shared on X in February 2023 by the same handle said it "specializes in providing digital marketing services, marketing resources, and consulting on effective digital marketing strategies." Taken together, Chen wrote, these artifacts "form a consistent picture of a large, Vietnamese-based, mega operation."

What this means for technologists, affected enterprises, and end users

  • Technologists and security teams: Teams will need to watch for phishing that uses trusted delivery addresses (the campaign used "noreply@appsheet.com") and examine exfiltration to messaging platforms such as Telegram. The operation's use of multiple hosting services — Netlify, Vercel, Google Drive, and Canva — shows attackers repurposing widely used platforms for different stages of the fraud.
  • Affected enterprises and procurement leaders: Organizations managing Facebook Business accounts and advertising identities should expect account-targeted lures claiming to be from Meta Support or offering blue‑badge reviews, copyright complaints, or verification instructions. The campaign shows stolen ad identity and account access can be converted into a revenue stream on illicit storefronts.
  • End users and page owners: Business account owners receiving urgent notices to "submit an appeal" or face deletion should be aware these lures have been seen in multiple variations, and that attackers have used fake job offers and official-looking PDFs to harvest credentials and 2FA codes.

The AccountDumpling findings also fit a longer pattern: Guardio notes Vietnamese threat actors have repeatedly adopted varied tactics to gain unauthorized access to Facebook accounts, then commodify those accounts in underground ecosystems. Similar tactics were observed in a related campaign documented by KnowBe4 in May 2025.

AccountDumpling is notable not just for scale — roughly 30,000 victim records — but for how it stitched legitimate cloud services into an operational pipeline: trusted delivery via AppSheet, hosting on Netlify and Vercel, document generation via Canva, and data collection routed to Telegram. Chen framed the campaign as "bigger than a single AppSheet abuse" and as a "window into the dark market around stolen Facebook assets." The immediate unanswered question is whether the platforms used in the chain and the marketplaces that buy and sell access will change controls to disrupt the criminal-commercial loop Guardio described.

Original reporting: The Hacker News — 30,000 Facebook Accounts Hacked via Google AppSheet Phishing Campaign

Emerging ThreatsNation-State ActorsSocial MediaVietnamMfa BypassFacebook PhishingGoogle AppsheetAccountdumplingPhishing Operations
Related Intelligence

Continue Reading

Person sits in quiet room with smartphone, papers, and blurred laptop screen, conveying cautious atmosphere.

FBI Warns of Russian Hackers Targeting Signal Backup Keys

Stay vigilant, as Russian hackers are now targeting Signal backup keys in an evolved phishing campaign, attempting to gain access to your historical message backups by tricking you into revealing these sensitive keys. Be cautious of messages masquerading as automated support accounts, as they may be part of this sinister plot.

Analyst 207
Smartphone with Signal app open on screen in a public setting.

FBI Warns of Russian Hackers Targeting Signal with Recovery Key Phishing

Beware of scammers posing as Signal support - the FBI and CISA warn that Russian hackers are using recovery key phishing to target users, so treat any in-app message from Signal support with extreme caution. Stay safe by being vigilant about unexpected messages.

Analyst 207
Government building exterior with laptops and diverse people, hinting at global connectivity.

SharkLoader Malware Targets Global Entities in StrikeShark Cyberattacks

Kaspersky has uncovered a massive global cyberattack campaign, dubbed StrikeShark, that uses SharkLoader malware to target a wide range of organizations across multiple countries and industries. The attacks have hit diplomatic and government bodies, software development companies, and other entities in over a dozen countries.

Analyst 207
Passport lies on a plain surface surrounded by blurred cannabis dispensary items, hinting at a security breach.

Massive Passport Leak Exposes Sensitive Traveler Data

A staggering leak of almost a million passport records from around the world has put sensitive traveler data at risk. The breach, linked to a low-security ID verification system for cannabis dispensaries, exposed passports as a vulnerable weak point in authentication processes.

Analyst 207