Not a spoofed Google address. Not a convincing lookalike domain. An actual, authenticated Google email — from noreply@appsheet.com — that sails through every spam filter your IT team paid good money to deploy, clears SPF, DKIM, and DMARC authentication checks without a hiccup, and lands in your inbox looking like a routine Meta policy notice. By the time you realise you've handed over your Facebook Business account credentials, your two-factor authentication code, and possibly a photograph of your government-issued ID, the session data is already streaming into a Telegram bot controlled by operators sitting in Vietnam.
This is Account Dumpling. And the 30,000 Facebook users hacked in this campaign are, by every available measure, only the visible surface of something considerably larger.
The Anatomy of a Living Operation
Guardio Labs, the cybersecurity firm that cracked this campaign open, published its findings in late April 2026 after researchers spent weeks reverse-engineering what initially looked like a routine phishing cluster. It wasn't. What they found was a modular, multi-actor criminal supply chain — coordinated through Telegram, monetised through underground account resale markets, and sophisticated enough to include real-time operator panels that let attackers interact with victims while they were still actively filling out fake forms.
"What we found wasn't a single phishing kit," wrote Guardio researcher Shaked Chen in a report shared with The Hacker News. "It was a living operation with real-time operator panels, advanced evasion, continuous evolution and a criminal-commercial loop that quietly feeds on the same accounts it helps steal back."
Read that last phrase twice. The same accounts it helps steal back. AccountDumpling's operators weren't just selling access to compromised Facebook accounts on underground markets — they were also running an account recovery service. Victims would discover their account had been taken over, panic, Google for solutions, and potentially stumble onto the very people who stole it, paying a fee to "recover" what was always theirs. A cybercrime ouroboros. Cold, operationally elegant, and deeply illustrative of how far commercial-grade criminal infrastructure has come.
How Google's Own Tools Became the Weapon
The technical mechanism here deserves more attention than most coverage has given it.
Google AppSheet is a no-code application development platform designed for business automation — the kind of tool a small operations team might use to build internal dashboards without writing a line of code. Like most of Google's productivity infrastructure, it sends legitimate notification emails from verified Google addresses. Those emails pass authentication because they are, technically, authentic Google emails. They just contain malicious content.
The attackers registered AppSheet accounts, used the platform's notification system to dispatch phishing emails at scale from noreply@appsheet.com and appsheet.bounces.google.com, and watched as corporate spam filters waved the messages through. From there, four distinct attack clusters went to work:
Cluster A used HTTrack — a free website-copying tool — to clone the Facebook Help Centre, hosting the replica on Netlify. Victims who clicked were walked through what looked like a legitimate appeals process, surrendering credentials, dates of birth, phone numbers, and government ID photos, which were automatically forwarded to attacker-controlled Telegram channels.
Cluster B deployed blue badge evaluation lures. Fake "Security Check" and "Meta | Privacy Center" pages hosted on Vercel promised victims a pathway to Facebook's coveted verification badge, gating entry with a bogus CAPTCHA before funnelling users to credential-harvesting landing pages.
Cluster C used Google Drive to host PDFs — designed in a free Canva account — that purported to be official Meta verification instructions. These pages ran a Socket.IO-based panel allowing operators to interact with victims in real time, requesting specific authentication codes while watching the session unfold through captured browser screenshots.
Cluster D went the direct social engineering route: fake recruiter outreach, executive LinkedIn-style messages, and personalised lures constructed from public account data.
The infrastructure is, by most definitions, impressive. Not in a way that should generate admiration — but in a way that should generate alarm.
"This campaign is bigger than a single AppSheet abuse. It's a window into the dark market around stolen Facebook assets, where access, business identity, ad reputation, and even account recovery have all become tradable commodities. Another entry in the pattern we keep surfacing: trusted platforms repurposed as delivery, hosting, and monetization layers."
— Shaked Chen, Security Researcher, Guardio Labs
The Numbers That Actually Matter
Roughly 30,000 Facebook accounts were hacked in this operation — but the geographic concentration tells a more specific story.
Geography | Share of Confirmed Victims |
|---|---|
United States | ~68.6% |
United Kingdom | Significant minority |
Canada | Significant minority |
Italy | Notable share |
Europe, Asia, Americas (other) | Remaining distributed |
This is not a campaign targeting developing markets with weaker security awareness. It's targeting English-speaking, Western business users — people who run Facebook Business accounts, manage ad spend, and have pages with advertising history and credibility baked in. Those accounts aren't worth $10 on an underground forum. A seasoned Facebook Business account with a clean payment history and an established ad reputation can fetch hundreds of dollars. The blue badge lure wasn't chosen at random; verified accounts command a premium, both in the resale market and as staging infrastructure for future fraud.
Attribution points to Vietnam. Metadata from a Google Drive-hosted Canva PDF used in the campaign identified a Vietnamese name, "Phạm Tài Tân," linked by Guardio researchers to an online persona offering Facebook account recovery services. Vietnamese-language code comments, bot naming conventions, and consistent infrastructure patterns form what Chen called "a consistent picture of a large, Vietnamese-based, mega operation." This isn't Guardio's first brush with Vietnamese threat actors targeting Facebook — a comparable campaign was documented by KnowBe4 as recently as May 2025. The playbook is refined because it's been refined.
What This Reveals About Meta's Verification Problem
Here's the counterintuitive observation that almost no one is making: Meta's blue badge didn't cause this attack, but Meta's handling of verification absolutely enabled it.
The entire premise of Account Dumpling's most effective cluster — the blue tick lure — rests on a simple truth: people desperately want Facebook's verification badge, they're unclear on how to get it legitimately, and they're primed to believe that Meta might email them about it. That's not a user education failure. It's a product design failure.
Meta monetised verification through Meta Verified, its subscription programme that bundles a blue badge with account support. The subscription model created legitimate demand for verification while simultaneously creating confusion about what the process looks like. When an email arrives claiming your verification review is pending, or that your account will be deleted unless you appeal, users have no reliable mental model of what a genuine Meta communication should look like — because Meta's own communications are inconsistent.
The European context adds regulatory weight. In late 2025, the European Commission hit X with a €120 million fine under the Digital Services Act specifically because its blue verification badge functioned as a deceptive design element — it implied authenticity the platform couldn't actually guarantee. The same logic applies, more or less precisely, to what Account Dumpling exploited on Facebook. In Q1 2026, separate research identified 170 verified Facebook profiles publishing more than 67,000 fraudulent ads across Europe — many from stolen or impersonated accounts that had somehow cleared Meta's verification process. The badge, across multiple platforms, has become a trust signal that bad actors exploit more efficiently than good actors benefit from it.
Regulators in Brussels are watching. The Digital Services Act's enforcement apparatus is designed for exactly this kind of systemic failure. Meta's response to Account Dumpling — or lack thereof — will be noted.
Why Founders Should Care More Than Anyone
For startup operators reading this: your Facebook Business account is not a social media asset. It is a financial instrument.
Your ad account history, your verified payment methods, your audience data, your conversion pixel — all of it has monetary value in markets you'll never see. A compromised business account can drain ad budgets in hours, destroy brand reputation through fraudulent campaigns, and take weeks of support hell to recover. That's assuming you can recover it at all. Meta's business support infrastructure is notoriously unresponsive for hacked accounts — a point the Account Dumpling operators clearly understood and exploited in their recovery scam arm.
The practical security posture here is not complex, but it requires genuine organisational commitment rather than checkbox compliance:
Hardware security keys — not authenticator apps, not SMS — for any account with advertising access. Strict separation of personal and business Facebook accounts at the organisational level. Explicit policies on what a legitimate Meta communication looks like and mandatory verification through official channels before any appeal action is taken.
The specific tell in this campaign was urgency. One phishing email from April 2026 carried the subject line "Case ID: 6480258166" and threatened permanent account disablement within 24 hours. That framing — act now, or lose everything — is the signature of social engineering, not platform policy. Any communication demanding immediate credential action through a link in an email is, by definition, suspect.
Key Takeaways
The attack vector is now Google, not some sketchy domain. Emails from noreply@appsheet.com pass all standard authentication checks. Traditional spam filtering cannot catch this.
The blue badge isn't just a vanity metric — it's a phishing lure with demonstrated conversion rates. Attackers specifically engineered a cluster around verification desire because it works.
AccountDumpling is a supply chain, not a single campaign. Multiple actor groups handle acquisition, credential processing, account resale, and "recovery" as distinct business functions. Disrupting one node doesn't collapse the operation.
68.6% of victims are in the United States. This is not a problem concentrated in markets with lower security awareness. It's a problem aimed squarely at the world's most commercially valuable Facebook user base.
Meta's verification design is a structural vulnerability. Until the company creates a transparent, unambiguous process for what official verification communications look like — and enforces it technically, not just through policy — the blue tick will keep functioning as the internet's most effective phishing prop.
The 30,000 Facebook users hacked in this operation will spend weeks or months trying to reclaim accounts that contain years of business history. Some won't succeed. The operators behind AccountDumpling, meanwhile, will iterate. The platform infrastructure they abused — AppSheet, Netlify, Vercel, Canva, Google Drive — remains available. The monetisation loop remains intact. And the next campaign is already in development, probably using a slightly different trusted platform, a slightly different lure, a slightly different Telegram exfiltration chain.
The cybersecurity industry has a habit of framing attacks like this as clever. It's the wrong frame. AccountDumpling isn't clever. It's industrialised. And the factories are running.
