A newly discovered Vietnamese-linked operation has been observed using Google AppSheet as a phishing relay to distribute malicious emails aiming to compromise Facebook accounts.
The activity, codenamed AccountDumpling by Guardio, involves a scheme where stolen accounts are sold through an illicit storefront run by threat actors. Roughly 30,000 Facebook accounts have been hacked during this campaign.
Security researcher Shaked Chen described the campaign as a living operation with real-time operator panels, advanced evasion techniques, and a criminal-commercial loop that continuously feeds on stolen accounts, underscoring the need for ongoing vigilance.
The campaign begins with a phishing email targeting owners of Facebook Business accounts. The email, which appears to be from “Meta Support,” instructs recipients to submit an appeal immediately to prevent the permanent deletion of their account. Because these messages are sent from a Google AppSheet address, they are able to easily bypass standard spam filters.
This false urgency directs users to a fake web page designed to harvest credentials. Recently, the campaigns adopted various lures to induce a Meta-related panic, ranging from account disablement to executive recruitment.
Guardio identified four main attack clusters. These include Netlify-hosted help center pages that collect personal data, blue badge evaluation lures gated by bogus CAPTCHAs, Google Drive-hosted PDFs generated via Canva, and fake job offers impersonating major tech companies.
Cumulatively, the Telegram channels associated with these clusters hold about 30,000 victim records. Most victims are located in the U.S., Canada, India, and the U.K., and have been locked out of their accounts.
Smoking gun evidence came from the Canva-generated PDFs, with metadata listing a Vietnamese name, “PHẠM TÀI TÂN,” as the author. Open-source intelligence led to a website offering digital marketing services under with that title.
According to Chen, this campaign generates a consistent picture of a massive Vietnamese-based operation, showing how trusted media outlets are repurposed as delivery and monetization layers for stolen Facebook assets.