“AccountDumpling” Hijacked Google Infrastructure to Steal 30,000 Facebook Accounts
Ddos 
In a sophisticated display of “trust inversion,” a Vietnamese-linked cybercriminal operation has turned Googleβs own infrastructure against its users. Security researcher Shaked Chen at Guardio Labs has uncovered a massive campaign dubbed “AccountDumpling,” which has successfully compromised roughly 30,000 Facebook accounts by leveraging Google AppSheet as a phishing relay.
By using a legitimate Google service, the attackers ensure their malicious emails are “authenticated, signed, and never blocked” by standard security filters.
AppSheet is a no-code platform designed for business workflow automation. The attackers abused its notification system to blast out waves of high-quality phishing lures that appear to come from noreply@appsheet.com.
Because the emails originate from Googleβs internal systems, they carry perfect SPF, DKIM, and DMARC credentials. As Chen points out, “In practical terms… can you imagine Google blocking an email that a Google system sent?”
The lures primarily target Facebook Business account owners with alarming subjects like “Your account will be permanently disabled in 24h” or “Case ID: 6480258166,” tricking victims into an “appeal” process that is actually an identity-capture trap.
The investigation revealed that AccountDumpling is not a single kit but a “living operation” with four distinct attack clusters:
- Cluster A: Netlify-Hosted Clones: Blunt-force Facebook Help Center clones that collect passwords, birthdays, and even photos of government IDs to bypass recovery safeguards.
- Cluster B: The Blue Badge Reward: A “desire-based” lure offering fake Meta Verified rewards, utilizing Unicode hair spaces and Cyrillic homoglyphs to evade natural language detection.
- Cluster C: The Live Operator Panel: The most advanced cluster, which directs victims to a Google Drive-hosted PDF. This PDF contains an embedded link to a real-time Socket IO-based panel, allowing a “human in the loop” to monitor inputs and trigger 2FA requests while the victim is still on the page.
- Cluster D: Fake Job Offers: Professional-looking outreach for roles at major tech firms like WhatsApp or Adobe, intended to move the conversation to a controlled, off-platform channel.
Guardio Labs successfully traced the operationβs command-and-control (C2) to a series of Telegram bots where victim data is exfiltrated in real time. Analysis of the exfiltration channels revealed administrative identities such as “Big Bosss” and “@mansinblack”.
The most significant break in the case came from a metadata error: “The /Author field [of a Canva-generated PDF] contained a real Vietnamese name: PHαΊ M TΓI TΓN”.
This name was linked to a public Facebook profile and a business persona openly advertising Facebook “unlocking” and “security” services. This creates a dark “criminal-commercial loop” where the same hands stealing the accounts may be offering to “recover” them for a fee through public-facing storefronts like dichvufbgiare.com.
While the targeting is global, the market for these stolen assets is specific. In a sample of roughly 2,900 victims, 68.6% were located in the United States, followed by Italy, Canada, and the Philippines.
The stolen accounts don’t just result in personal loss; they become “infrastructure for the next layer of abuse,” powering disinformation, identity laundering, and fraudulent storefronts at scale.
Guardio Labs has already initiated outreach to thousands of identified victims to help them secure their accounts. If you receive an unexpected document via Google Drive or an urgent notice via AppSheet, verify it through a separate, known communication channel before entering your credentials.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
