Guardio said the attackers used and private channels to collect stolen credentials and session tokens. This system allowed operators to receive data quickly and attempt account takeovers before victims recovered access.
Researchers found around 30,000 victim records linked to the first three clusters. Many victims were located in the United States, Italy, Canada, the Philippines, India, Spain, Australia, the United Kingdom, Brazil, and Mexico.
The campaign mainly targeted Facebook accounts with business value. Stolen accounts and pages can support ad fraud, scam campaigns, and resale activity in underground markets.
Guardio also reported attribution clues linked to Vietnam. Metadata from Canva-generated PDFs listed the author name “PHẠM TÀI TÂN.” Further open-source checks led researchers to a website linked to .
Chen said the findings form “a consistent picture of a large, Vietnamese-based, mega operation.” Still, the public evidence does not amount to a formal law enforcement finding.
The AccountDumpling case shows how phishing groups can misuse trusted platforms such as Google AppSheet, Netlify, Vercel, Google Drive, Canva, and Telegram. It also shows why Facebook Business users remain frequent targets for account theft and resale.
Also Read:
