The WhatsApp and Gmail of 800+ key figures in the middle east hacked in major cyber espionage campaign

The campaign targets diplomats, journalists, and officials using zero-click exploits and social engineering.

A sophisticated cyber espionage campaign has successfully breached the WhatsApp and Gmail accounts of more than 800 high-profile individuals across the Middle East, including senior government officials, academics, and business leaders. The discovery, first raised as an "urgent security alert" by U.K.-based activist Nariman Gharib, reveals a multi-layered attack designed to turn personal smartphones into live surveillance tools.

The campaign targets a narrow, influential list of individuals involved in Iranian affairs, coinciding with the country's longest nationwide internet shutdown and ongoing anti-government protests.

The attack chain: It starts with a WhatsApp link

The hackers used highly targeted spear-phishing messages sent directly via WhatsApp to lure victims into a trap. The message contained a suspicious link masked by DuckDNS (a dynamic DNS provider) to appear as a genuine WhatsApp web address.

Tapping the link loaded a phishing page that either mimicked a Gmail login or presented a QR code.

Account hijacking

Victims who scanned the QR code, thinking they were joining a "virtual meeting room" instantly linked their WhatsApp account to an attacker-controlled device. Meanwhile, the fake Gmail portal captured usernames, passwords, and even two-factor authentication (2FA) codes in real-time.

Live surveillance: turning phones into spies

Analysis of the phishing site's source code by security researchers and TechCrunch revealed a great deal of invasive access. If a victim granted browser permissions, the attackers could:

• Track location: The site would exfiltrate the victim’s GPS coordinates every few seconds.

• Record audio: The code allowed for bursts of audio recording via the device's microphone.

• Capture photos: The hackers could remotely snap photos using the device’s camera every three to five seconds.

The attacker's server was found exposed and accessible without a password, revealing over 850 records of information from victims who had unwittingly entered their credentials.

The victim list

While the number of fully compromised accounts identified so far is relatively low (fewer than 50 confirmed), the 800+ targeted individuals represent a "Who's Who" of regional influence:

Who is behind the attack?

Attribution remains debated, though experts point toward an espionage-driven motivation rather than financial gain.

The case for Iran

Security researchers at Citizen Lab noted the campaign carries the "hallmarks of an IRGC-linked spear-phishing campaign," specifically the Islamic Revolutionary Guard Corps' history of targeting the Iranian diaspora.

The case for cybercrime proxies

Other analysts noted that the infrastructure (registered as early as August 2025) resembles a cybercrime operation, suggesting the Iranian government may have outsourced the hack to criminal groups to maintain plausible deniability.

Following the revelation, people are advised against clicking on unsolicited WhatsApp links, no matter how convincing.