On Tuesday, U.K.-based Iranian activist Nariman Gharib tweeted redacted screenshots of a phishing link sent to him via a WhatsApp message. “Do not click on suspicious links,” Gharib warned. The activist, who is following the digital side of the Iranian protests from afar, said the campaign targeted people involved in Iran-related activities, such as himself. This hacking campaign comes as Iran grapples with the longest nationwide internet shutdown in its history, as anti-government protests — and violent crackdowns — rage across the country. Given that Iran and its closest adversaries are highly active in the offensive cyberspace (read: hacking people), we wanted to learn more. Gharib shared the full phishing link with TechCrunch soon after his post, allowing us to capture a copy of the source code of the phishing web page used in the attack. He also shared a write-up of his findings. TechCrunch analyzed the source code of the phishing page, and with added input from security researchers, we believe the campaign aimed to steal Gmail and other online credentials, compromise WhatsApp accounts, and conduct surveillance by stealing location data, photos, and audio recordings. It is unclear, however, if the hackers were government-linked agents, spies, or cybercriminals — or all three. TechCrunch also identified a way to view a real-time copy of all the victims’ responses saved on the attacker’s server, which was left exposed and accessible without a password. This data revealed dozens of victims who had unwittingly entered their credentials into the phishing site and were subsequently likely hacked. The list includes a Middle Eastern academic working in national security studies; the boss of an Israeli drone maker; a senior Lebanese cabinet minister; at least one journalist; and people in the United States or with U.S. phone numbers. TechCrunch is publishing our findings after validating much of Gharib’s report. The phishing site is now down. Inside the attack chain According to Gharib, the WhatsApp message he received contained a suspicious link, which loaded a phishing site in the victim’s browser. Image Credits:Nariman Gharib The link shows that the attackers relied on a dynamic DNS provider called DuckDNS for their phishing campaign. Dynamic DNS providers allow people to connect easy-to-remember web addresses — in this case, a duckdns.org subdomain — to a server where its IP address might frequently change. It’s not clear whether the attackers shut down the phishing site of their own accord or were caught and cut off by DuckDNS. We reached out to DuckDNS with inquiries, but its owner Richard Harper requested that we send an abuse report instead. From what we understand, the attackers used DuckDNS to mask the real location of the phishing page, presumably to make it look like a genuine WhatsApp link. The phishing page was actually hosted at alex-fabow.online, a domain that was first registered in early November 2025. This domain has several other, related domains hosted on the same dedicated server, and these domain names follow a pattern that suggests the campaign also targeted other providers of virtual meeting rooms, like meet-safe.online and whats-login.online. We’re not sure what happens while the DuckDNS link loads in the victim’s browser, or how the link determines which specific phishing page to load. It may be that the DuckDNS link redirects the target to a specific phishing page based on information it gleans from the user’s device. The phishing page would not load in our web browser, preventing us from directly interacting with it. Reading the source code of the page, however, allowed us to better understand how the attack worked. Gmail credential and phone number phishing Depending on the target, tapping on a phishing link would open a fake Gmail login page, or ask for their phone number, and begin an attack flow aimed at stealing their password and two-factor authentication code. But the source code of the phishing page code had at least one flaw: TechCrunch found that by modifying the phishing page’s URL in our web browser, we could view a file on the attacker’s servers that was storing records of every victim who had entered their credentials. The file contained over 850 records of information submitted by victims during the attack flow. These records detailed each part of the phishing flow that the victim was in. This included copies of the usernames and passwords that victims had entered on the phishing page, as well as incorrect entries and their two-factor codes, effectively serving as a keylogger. The records also contained each victim’s user agent, a string of text that identifies the operating system and browser versions used to view websites. This data shows that the campaign was designed to target Windows, macOS, iPhone, and Android users. The exposed file allowed us to follow the attack fl