30,000 Facebook Accounts Hacked Through Google AppSheet Phishing Campaign
A newly discovered Vietnamese-linked operation has been spotted using Google AppSheet as a “phishing relay” to distribute phishing emails with the aim of compromising Facebook accounts.
The function is named in code AccountDumpling by Guardio, for a scheme to sell stolen accounts back to an illegal store run by shady actors. In total, around 30,000 Facebook accounts are estimated to have been hacked as part of the campaign.
“What we found was not a phishing kit,” security researcher Shaked Chen wrote in a report shared with Hacker News. “It was a living operation with real-time operator panels, advanced avoidance, continuous evolution and a criminal trading loop that silently feeds on the same accounts it helps to steal.”
The findings are the latest example of how Vietnamese threat actors continue to adopt a variety of tactics to gain unauthorized access to victims’ Facebook accounts, which are then sold in underground ecosystems for revenue.
The trigger for the latest attack is a phishing email targeting Facebook Business account holders, claiming to be from Meta Support and urging them to file a complaint, or risk having their account permanently deleted. Emails are sent to a Google AppSheet address (“noreply@appsheet.com”), which allows them to bypass spam filters.
This false sense of urgency is used to direct users to a fake web page designed to prey on their credentials. It is worth noting that the same campaign was reported by KnowBe4 in May 2025.
In the past few weeks, these campaigns have adopted various types of hypnosis designed to induce “Meta-related panic.” These range from account suspensions and copyright complaints to verification reviews, hiring managers, and Facebook login warnings. The four major clusters identified by Guardio are listed below –
- Facebook’s help center pages hosted by Netlify allow for account takeover attacks, in addition to collecting birthdays, phone numbers, and government-issued ID photos. The data is finally transmitted to a Telegram channel controlled by the attacker.
- Green badge test lures that direct victims to Vercel-hosted “Security Check” or “Meta | Privacy Center” pages are activated by a fake CAPTCHA check before directing users to a phishing landing page to collect contact information, business information, credentials (after forced retries), and two-factor authentication (2FAtra) for codes on Telegram.
- PDFs hosted by Google Drive act as instructions to complete account verification to guide users to collect passwords, 2FA codes, government ID photos, and browser screenshots through html2canvas. PDF documents are generated using a free Canva account.
- Fake jobs offer companies impersonating companies such as WhatsApp, Meta, Adobe, Pinterest, Apple, and Coca-Cola to build relationships with recipients and ask them to join a call or continue a conversation on sites controlled by attackers.
Combined, the Telegram channels associated with the first three groups were found to have records of about 30,000 victims, most of whom are located in the US, Italy, Canada, Philippines, India, Spain, Australia, UK, Brazil, and Mexico, and locked out of their accounts.
As for who did this, the evidence of the smoking gun appeared in PDFs produced as part of a third batch using a free Canva account, with metadata listing the Vietnamese name “PHẠM TÀI TÂN” as the author of the files. Some open source ingenuity led to the discovery of a website (“phamtaitan[.]vn”), where they offer digital marketing services.
In a post shared on X in February 2023, the website operator said it “specializes in providing digital marketing services, marketing resources, and consulting on effective marketing strategies.”
“Taken together, they create a consistent image of a large, Vietnam-based operation,” Chen said. “This campaign is bigger than a single AppSheet hack. It’s a window into the black market around stolen Facebook assets, where access, business ownership, ad reputation, and even account acquisition have all become commodities. Also included in the pattern we’re continuing to reveal: trusted platforms are repurposed for delivery, hosting, and monetization.”
