Recently uncovered cyber operations linked to Vietnamese threat actors have revealed a sophisticated method of launching phishing attacks using Google AppSheet as a conduit. This campaign aims to compromise Facebook accounts, with approximately 30,000 accounts reported hacked.
The operation, identified as “AccountDumpling” by cybersecurity firm Guardio, entails the hijacked accounts being sold through an illicit storefront run by the attackers. Guardio’s security researcher Shaked Chen noted in a report to The Hacker News that this operation was not merely a collection of phishing kits but rather a complex and dynamic enterprise with real-time operator panels and advanced evasive measures.
This development exemplifies the evolving tactics of Vietnamese cybercriminals, who have been increasingly successful in exploiting various methodologies to gain unauthorized access to Facebook accounts for profit. The stolen credentials are often cycled back into dark markets, turning compromised assets into currency.
The initial vector for these attacks appears to be phishing emails targeting owners of Facebook Business accounts. Posing as communications from Meta Support, these emails create a sense of urgency, falsely warning recipients of potential account deletion if they do not submit an appeal. The emails originate from a Google AppSheet address, which aids in evading spam filters.
Once recipients act on the urgency, they are directed to fraudulent web pages crafted to capture their login credentials. Guardio draws parallels to a similar campaign reported by KnowBe4 in May 2025, further underscoring the persistent threat landscape.
The ongoing campaigns have been characterized by various deceptive lures aimed at inciting panic among victims. These tactics include notifications of account disablement, copyright complaints, and requests for verification. Guardio has identified distinct clusters within these tactics, which facilitate account takeover through methods like capturing personal information via Netlify-hosted pages or misleading users into providing sensitive information via Google Drive-hosted PDFs and bogus job recruitment offers.
Analysis of associated Telegram channels has revealed a vast repository of victim data, with records primarily from individuals in the U.S., Italy, Canada, and several other countries. Most victims have found themselves locked out of their accounts.
Further investigation into the operation has yielded compelling evidence, particularly the metadata of PDFs crafted using a free Canva account, which points to a Vietnamese national as the creator. Open-source intelligence has uncovered a digital marketing website linked to this individual, where they promote various services.
Taken as a whole, these events paint a picture of a large-scale, Vietnamese-based cyber operation focused on extracting value from stolen Facebook assets. This campaign opens a window into the darker aspects of the online economy, where access to accounts, identity, advertisement reputation, and recovery options have become tradeable commodities.
The tactics identified through the MITRE ATT&CK framework, such as initial access and credential harvesting, suggest a calculated approach to infiltrating and exploiting user accounts. The ongoing evolution of these techniques demonstrates the need for heightened vigilance and robust cybersecurity measures among businesses that utilize online platforms like Facebook.