Cybersecurity researchers at Guardio Labs have discovered a massive phishing operation that uses Google’s own infrastructure to hijack Facebook accounts. This research reveals a Vietnamese-linked operation code-named AccountDumpling that has already compromised over 30,000 users globally.
AppSheet Abuse
Guardio Labs researchers explained in the report that this campaign abuses the notification system of Google AppSheets (a no-code tool designed for business automation). By using this service, hackers send emails from [email protected] and appsheet.bounces.google.com.
These emails originate from Google’s servers, and that’s why passing the authentication checks like SPF, DKIM, and DMARC becomes possible. Researchers noted that the phishing lures involve Meta-related themes. Such as fake copyright complaints or account disablement warnings. One email from April 2026 included the text “Case ID: 6480258166” and warned of permanent disablement within 24 hours.
Technical Methods and Attack Clusters
Researchers noted that this isn’t just one simple trick. The operation is split into different methods, or clusters, to catch different types of victims:
- Cluster A- Netlify Clones: Some attackers used a tool called HTTrack to copy the Facebook Help Centre. They hosted these on Netlify to steal passwords and photos of government IDs.
- Cluster B- The Reward Trap: Another group used social engineering to lure users, such as by promising Blue Badge verification. They used zero-font tactics like Cyrillic homoglyphs (a Cyrillic “а” instead of a Latin “a”) and hair spaces (invisible Unicode characters) to bypass spam filters.
- Cluster C- Live Control: This cluster is the scariest as it is highly advanced. It uses a Google Drive-hosted PDF and Socket IO and WebSockets to create a live operator panel. When the victim clicks on it, the hackers can interact with the victims in real-time to request 2FA (two-factor authentication) codes.
- Cluster D: This involves fake job recruitment for brands like Adobe, Apple, and Coca-Cola, and redirects victims to private WhatsApp chats.
Attribution
Further investigation revealed a clear trail leading back to Vietnam. A Canva-generated PDF file from the attack contained the name Phạm Tài Tân in the metadata. This same name is linked to a business that openly ‘helps’ people recover locked Facebook accounts.
According to researchers, the data stolen by these kits is sent to Telegram bots like @haixuancau_bot and @globalglobalglobalbot_bot. These channels are run by users known by their aliases “Big Bosss” and “@mansinblack.”
While the attack is global, 68.6% of the victims in the main dataset were from the United States, followed by the UK, Canada, and Italy. Guardio Labs warned that this is a professional supply chain. One group steals the account, and another sells the access back or uses it for fraud. It’s a dark business model that turns user trust into a product.
Attack clusters (Source: Guardio Labs)
