- Vietnamese threat actors used Google AppSheet as a phishing relay to compromise roughly 30,000 Facebook accounts.
- The campaign, codenamed AccountDumpling, stole credentials through emails pretending to be from Meta Support.
- Stolen account details were exfiltrated and sold via an illicit storefront operated by the attackers.
- Metadata from PDFs linked the operation to a Vietnamese individual named PHẠM TÀI TÂN.
A Vietnamese-linked cyber operation, codenamed AccountDumpling, has been distributing phishing emails from a Google AppSheet address since early May 2026 to steal Facebook credentials. According to a report by Guardio, this scheme has compromised roughly 30,000 accounts, selling them back through an illicit storefront.
The emails impersonated Meta Support, creating urgency to lure Facebook Business account owners to fake login pages. Consequently, this allowed the attackers to harvest passwords, two-factor authentication codes, and personal identification data. The stolen information was then forwarded to attacker-controlled Telegram channels.
The campaign employed several evolving phishing lures, including fake copyright complaints and job offers from companies like WhatsApp and Adobe. Meanwhile, a cluster used Google Drive-hosted PDFs, generated via a free Canva account, to gather sensitive data.
Metadata from these PDFs identified a Vietnamese name, PHẠM TÀI TÂN, as the author. Further open-source intelligence linked this individual to a digital marketing website, which stated in 2023 it specialized in marketing services. However, the operation now repurposes trusted platforms for criminal delivery and monetization.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
