Guardio Labs has exposed a dangerous Vietnamese linked phishing operation called AccountDumpling that compromised 30,000 Facebook Business accounts by using Google AppSheet as a phishing relay. SPF DKIM and DMARC are all passed and the emails are real and the victims don’t even know. Stolen accounts are sold back by the same operators.
One morning you get an email from Google in your inbox. Sender [email protected] Delivery from appsheet.bounces.google.com SPF check green DKIM verified DMARC passed. The email says your Facebook Business account will be permanently disabled in 24 hours due to policy violation. You click and after this one click the account on which your business ads and business reputation rests goes into someone elses hands.
Guardio Labs researcher Shaked Chen publicly exposed the operation named AccountDumpling on April 29, 2026. It was a Vietnamese linked phishing campaign that had compromised more than 30,000 Facebook accounts by using Google AppSheet as a phishing relay and selling the stolen accounts back on the same illicit storefronts run by the attackers themselves. This was not just a phishing campaign it was an entire criminal economy operating on Googles own infrastructure.
The thing thats really revolutionary and terrifying about AccountDumpling is that there was no spoofing no servers compromised and no shady SMTP relay. Because these messages originated directly from Googles servers and they perfectly align with SPF DKIM and DMARC authentication protocols via an automated workflow notification system from a [email protected] address.
This Basic trust inversion allowed it to completely bypass traditional secure email gateways and spam filters. Deceptive Facebook policy violation warnings were delivered directly to high value business account owners without any security alerts.
Google AppSheet is a legitimate no code app building platform developers use it for workflow automation and internal notifications. Attackers used the free tier of the tool set up their own phishing notifications and put Googles entire trusted infrastructure to work for them. A fully authenticated email only proves that the platform sent it and it does not prove that the message itself is trustworthy. Attackers noticed this they always do.
Four Lures One Trap The Name Behind It All
Guardio researchers identified four primary attack clusters. The first was fake Facebook Help Center pages hosted on Netlify that collected victims usernames and passwords, along with date of birth, phone numbers and government issued ID photo meaning complete identity capture and not just credential theft.
The second cluster was a reward trap hosted on Vercel that used the lures of blue badge verification and Meta rewards. The third was PDFs hosted on Google Drive that appeared to be official policy documents. And the fourth was recruiter style social engineering that lured victims with executive job offers.
The back end of this poor operation was running completely on Telegram bots stolen credentials two factor authentication codes and dates of birth and government-issued ID photos can be instantly routed to private Telegram channels where operators across the world can validate stolen data in real-time and execute account takeovers.
The most dramatic moment of attribution in this entire investigation was a simple operational security failure. Guardio researchers analyzed the metadata of a Google Drive-hosted PDF used in the campaigns third attack cluster the PDF was created on Canva and operators forgot to scrub the author metadata.
The file contained a Vietnamese name Phạm Tài Tân embedded within researchers linked this name to a public business person in Vietnam who actively offers Facebook account recovery services. Vietnamese language code comments and bot naming conventions confirmed that this was a modular ecosystem involving multiple actors.
This is a consistent pattern among Vietnamese threat actors gaining unauthorized access to Facebook accounts and then selling them for monetary gain on underground ecosystems. This is a campaign much bigger than just AppSheet abuse its a window into the dark market of stolen Facebook assets where access business identity ad reputation and account recovery have all become tradable commodities said Guardios Chen.
By analyzing the Telegram bot infrastructure and researchers identified roughly 30,000 compromised accounts and the geographic distribution was alarming 68% of victims were in the United States with the rest from Europe, Asia and the Americas.
Guardio researchers recovered so much victim data that they were able to reach many victims directly, inform them that they had been compromised and help them act before further damage could occur. This operation was not just stealing accounts it was a grim business with real-time operator panels and advanced evasion continuous evolution and a criminal commercial loop that thrived on the same accounts it helped steal.
The most important thing to protect against this attack is to understand that just because an email comes from Google does not make it safe. Authenticating the platform and trustworthy messages are two completely different things, which is what AccountDumpling exploited.
Facebook Business account owners should go directly to facebook.com/support, not any links, before clicking on any emails that talk about account suspension, copyright violation or urgent verification. Two factor authentication should be moved to a hardware security key and government IDs should never be submitted to any third-party forms and no matter how legitimate the email appears.
