A newly uncovered cybercrime campaign linked to Vietnamese actors has been leveraging Google AppSheet as a phishing relay to send deceptive emails aimed at compromising Facebook accounts.
The operation, dubbed “AccountDumpling” by Guardio, revolves around stealing Facebook accounts and reselling them through illicit online marketplaces controlled by the attackers. Researchers estimate that nearly 30,000 accounts have been breached in this coordinated campaign.
"What we found wasn't a single phishing kit," security researcher Shaked Chen wrote in a report shared with The Hacker News. "It was a living operation with real-time operator panels, advanced evasion, continuous evolution and a criminal-commercial loop that quietly feeds on the same accounts it helps steal back."
This discovery highlights a broader trend of Vietnamese threat groups using increasingly sophisticated tactics to gain unauthorized access to Facebook accounts, which are later sold in underground markets for profit.
The attack chain typically begins with phishing emails sent to Facebook Business users, falsely posing as messages from Meta Support. These emails warn recipients that their accounts risk permanent suspension unless they submit an appeal. Notably, the emails originate from a legitimate-looking Google AppSheet address ("noreply@appsheet.com
"), helping them evade spam detection systems.
Victims are then directed to fraudulent websites designed to capture login credentials. Similar tactics were previously reported by KnowBe4 in May 2025.
In recent weeks, attackers have diversified their lures to trigger “Meta-related panic.” These include fake alerts about account bans, copyright violations, verification requests, job offers, and suspicious login activity. Guardio identified four primary attack patterns:
- Phishing pages hosted on Netlify that mimic Facebook Help Center interfaces, collecting sensitive details such as birth dates, phone numbers, and ID documents, which are then transmitted to attacker-controlled Telegram channels.
- Fake “blue badge” verification scams directing users through Vercel-hosted pages disguised as security checks, eventually harvesting credentials, business data, and two-factor authentication (2FA) codes.
- Malicious PDF files hosted on Google Drive, posing as verification instructions, tricking users into submitting passwords, 2FA codes, ID images, and browser screenshots. These PDFs were created using a free Canva account.
- Fraudulent job offers impersonating well-known brands such as WhatsApp, Adobe, Pinterest, Apple, and Coca-Cola to build trust and lure victims into further interaction on malicious platforms.
Across the first three attack clusters alone, associated Telegram channels were found to store around 30,000 victim records. Affected users span multiple countries, including the U.S., Italy, Canada, the Philippines, India, Spain, Australia, the U.K., Brazil, and Mexico, with many losing access to their accounts entirely.
Investigators traced part of the operation back to a Vietnamese individual after analyzing metadata embedded in the phishing PDFs, which listed the name “PHẠM TÀI TÂN” as the author. Further open-source investigation uncovered a website linked to this identity offering digital marketing services.
In a February 2023 post on X, the site’s account stated it "specializes in providing digital marketing services, marketing resources, and consulting on effective digital marketing strategies."
"Taken together, they form a consistent picture of a large, Vietnamese-based, mega operation," Chen said. "This campaign is bigger than a single AppSheet abuse. It's a window into the dark market around stolen Facebook assets, where access, business identity, ad reputation, and even account recovery have all become tradable commodities. Another entry in the pattern we keep surfacing: trusted platforms repurposed as delivery, hosting, and monetization layers."