30,000 Facebook Accounts Hacked Through Google AppSheet Phishing Scheme

Roughly 30,000 Facebook accounts hacked through a sophisticated phishing campaign abusing Google AppSheet have been linked to a sprawling Vietnamese cybercrime operation. The discovery, made by cybersecurity firm Guardio, paints a chilling picture of how trusted platforms are being weaponized to fuel a thriving underground market in stolen social media identities.

Dubbed AccountDumpling, the campaign isn’t just another phishing kit dropped onto the dark web. Researchers describe it as a fully functioning criminal enterprise, complete with real-time operator dashboards, evolving tactics, and an illicit storefront where stolen accounts are sold right back to victims and bad actors alike.

A Phishing Operation Built Like a Business

According to Guardio researcher Shaked Chen, what investigators uncovered was less like a static scam and more like a living operation. It featured continuous evolution, advanced detection-evasion techniques, and a closed-loop business model that profits from the very accounts it helps steal.

This finding adds to a growing list of incidents tied to Vietnamese threat groups, which have increasingly targeted Facebook accounts due to their high resale value in underground marketplaces. The accounts, particularly those connected to advertising and business profiles, are highly prized because they can be repurposed for ad fraud, scams, and identity manipulation.

How the Attack Begins

The trap is set with a deceptively simple email. Victims, typically owners of Facebook Business accounts, receive a message claiming to be from Meta Support. The email warns that their account is at risk of permanent deletion unless they submit an appeal — a tactic engineered to trigger immediate panic.

What makes the scheme especially dangerous is that the emails come from a legitimate Google AppSheet address (noreply@appsheet.com). Because the domain is trusted, these messages slip past most spam filters, landing directly in users’ inboxes.

Once recipients click, they’re funneled to fake pages designed to harvest their credentials. A similar phishing approach involving cloned support pages was previously documented by KnowBe4 in May 2025, suggesting this is part of a broader pattern of platform abuse.

The Many Faces of the Scam

In recent weeks, the AccountDumpling operators have rolled out numerous variations of their phishing lures. Each is tailored to provoke what Guardio calls “Meta-related panic” — emotional triggers that push users to act before thinking. Examples include:

• Account disablement warnings
• Copyright complaint alerts
• Verification review requests
• Bogus executive recruitment offers
• Fake Facebook login alerts

Researchers identified four primary clusters of phishing tactics within this campaign.

1. Netlify-Hosted Fake Help Pages

These cloned Facebook help center pages are designed to take over accounts while also collecting deeply personal information, such as:

• Dates of birth
• Phone numbers
• Government-issued ID photos

Stolen data is funneled directly into a Telegram channel controlled by the attackers.

2. Blue Badge Verification Traps

Posing as Meta’s privacy or verification system, these Vercel-hosted pages mimic security checks and CAPTCHA steps before redirecting users to phishing portals. The fake forms collect:

• Business credentials
• Two-factor authentication codes
• Login details after a forced retry
• Contact and business information

Like the first cluster, the harvested data is exfiltrated to attacker-run Telegram channels.

3. PDF-Based Phishing via Google Drive

This cluster leans on Google Drive-hosted PDFs disguised as legitimate verification instructions. These cleverly designed documents trick users into entering passwords, 2FA codes, and even uploading photos of their government IDs. Some pages also use html2canvas to silently capture browser screenshots, providing attackers with even more sensitive data.

The PDFs are generated using free Canva accounts — a small but telling detail that helped researchers trace the campaign back to its operators.

4. Fake Job Offer Lures

Another wave of attacks impersonates major companies including WhatsApp, Meta, Adobe, Pinterest, Apple, and Coca-Cola. Posing as recruiters, the attackers attempt to build trust with their targets before steering them toward attacker-controlled platforms or fake interview sites.

A Global Web of Victims

The scale of the attack is significant. Telegram channels tied to the first three phishing clusters reportedly hold around 30,000 victim records. The geographic spread of those affected is wide-ranging, with the most impacted countries including:

• United States
• Italy
• Canada
• Philippines
• India
• Spain
• Australia
• United Kingdom
• Brazil
• Mexico

Many of these victims have lost access to their own Facebook accounts entirely, with attackers sometimes selling access back to them through illicit marketplaces.

Tracing the Operation Back to Vietnam

The investigation took a major turn when researchers examined the PDFs used in the third phishing cluster. The metadata embedded inside those Canva-generated files revealed a Vietnamese name — “PHẠM TÀI TÂN” — listed as the document author.

Further open-source intelligence pointed researchers to a website (phamtaitan[.]vn) tied to digital marketing services. A 2023 social media post from the website’s account boasted about its expertise in digital marketing strategies and consulting, lending more weight to the suspicion that the operation runs under the cover of a seemingly legitimate business front.

While the public-facing brand markets digital growth services, evidence collected so far suggests it doubles as the engine behind a sprawling Facebook account theft empire.

A Symptom of a Bigger Problem

According to Guardio, AccountDumpling reflects a much larger and more troubling trend. Trusted platforms like Google AppSheet, Vercel, Netlify, Canva, and Google Drive are being increasingly co-opted as delivery mechanisms, hosting solutions, and monetization channels for cybercrime.

This shift makes phishing attacks harder to detect because everything from the email sender to the hosting URL appears clean and legitimate. As Chen pointed out, this campaign is more than just a misuse of Google AppSheet — it’s a glimpse into a thriving underground economy where Facebook access, ad reputation, and even account recovery have become tradable assets.

How Users Can Protect Themselves

For Facebook Business owners and casual users alike, awareness is the first line of defense. To reduce the risk of becoming part of the next wave of stolen accounts, users should:

• Avoid clicking links in unexpected emails, even when they appear official
• Always verify Meta-related alerts directly through Facebook settings
• Enable two-factor authentication using authentication apps rather than SMS
• Watch out for suspicious senders, even if the domain looks legitimate
• Never share government IDs or login credentials through pop-up forms

The fact that 30,000 Facebook accounts hacked through this single operation underlines just how lucrative — and dangerous — these scams have become. As cybercriminals continue refining their tactics, vigilance remains the most reliable shield against schemes that hide behind the world’s most trusted brands.