The AccountDumpling Offensive: How Attackers Are Weaponizing Google Infrastructure to Hijack Facebook Ecosystems
In a sophisticated display of “trust inversion,” cybersecurity researchers at Guardio Labs have deconstructed a massive, industrialized phishing campaign known as AccountDumpling. This operation, which has successfully compromised over 30,000 Facebook accounts globally, represents a significant evolution in how threat actors bypass modern email security layers.
Unlike traditional phishing campaigns that rely on suspicious-looking domains or unauthenticated SMTP servers, AccountDumpling leverages Google AppSheet to deliver its payloads. By utilizing Google’s automated workflow notification system, the attackers ensure their emails are sent from legitimate, high-reputation Google infrastructure. This allows the messages to seamlessly pass SPF, DKIM, and DMARC authentication protocols, effectively rendering many Secure Email Gateways (SEGs) and spam filters obsolete.

By exploiting this inherent trust, the attackers can deliver high-pressure “policy violation” warnings directly to the inboxes of high-value business account owners, ensuring a high click-through rate without triggering conventional security alerts.
A Multi-Vector Approach: Sophisticated Phishing Clusters
The AccountDumpling campaign is not a monolithic attack; rather, it is a highly orchestrated, multi-cluster operation designed to target different psychological profiles and technical defenses.
Cluster 1: Identity Harvesting via Netlify
The initial wave directs victims to static pages hosted on Netlify. These pages are near-perfect clones of the Facebook Help Center. To evade URL-based reputation filters, the attackers use unique, per-victim subdomains. These sites don’t just harvest passwords; they perform full identity theft, capturing dates of birth and government-issued identification photos.

Cluster 2: Reward-Based Social Engineering via Vercel
Shifting tactics from fear to greed, a second cluster targets users with promises of “Blue Badge” verification. Hosted on Vercel, these dynamic pages utilize advanced evasion techniques, such as invisible Unicode characters, to bypass Natural Language Processing (NLP) detection used by security software. Critically, these pages are designed to intercept Multi-Factor Authentication (MFA) codes in real time.
Cluster 3: Real-Time Session Hijacking via Socket.io
The most technically advanced tier utilizes Google Drive to host malicious PDFs. Once opened, these files present a professional Meta notification—meticulously designed in Canva—containing links to a Socket.io-based phishing panel. This architecture allows the attacker to maintain a live WebSocket connection, enabling human operators to manage the victim’s session actively, request specific 2FA codes on demand, and even take real-time browser screenshots.

Cluster 4: Long-Con Recruitment Scams
Finally, a fourth cluster bypasses technical lures entirely in favor of direct social engineering. Attackers impersonate corporate recruiters from major tech brands, building rapport over time before moving the victim to attacker-controlled messaging channels.
Telegram-Powered Exfiltration and Attribution
To manage the massive data flow, the operators utilize a centralized Command-and-Control (C2) infrastructure powered by Telegram bots. As credentials and session tokens are harvested, they are streamed in real-time to private Telegram channels. This allows the attackers to execute rapid account takeovers before the legitimate user even realizes their credentials have been compromised.

The scale of this operation is staggering. Analysis indicates roughly 30,000 compromised records, with a heavy concentration of victims in the United States and Europe.
The Guard Labs investigation provided a breakthrough in attribution through forensic metadata analysis. By examining the author metadata within the Google Drive-hosted PDFs, researchers identified a real name, linking the digital infrastructure to a specific entity in Vietnam. This was further confirmed by finding Vietnamese-language developer comments embedded directly within the malicious JavaScript and HTML source code.

Ultimately, AccountDumpling highlights the emergence of a highly industrialized “access economy.” In this ecosystem, social media accounts are not just stolen; they are treated as liquid assets—harvested at scale, monetized, and then repurposed to fuel secondary waves of fraudulent activity, creating a self-sustaining cycle of cybercrime.