Nile Phish phishing campaign against Egyptian civil society

On 2 February 2017, the University of Toronto's Citizen Lab, working with Egyptian NGOs, published Nile Phish, documenting a large-scale, highly personalized phishing campaign aimed at the heart of Egypt's human-rights community. The operators sent at least 92 credential-stealing messages, almost all targeting people and organizations entangled in "Case 173" — the Egyptian government's sweeping legal crackdown on civil-society groups accused of receiving foreign funding.

What happened

Nile Phish unfolded in two phases. The first, beginning in late November 2016, used hyper-personalized lures that demonstrated an unsettling, real-time awareness of the targets' lives and of Egyptian state action. In the most striking example, within hours of the arrest of women's-rights activist Azza Soliman on 7 December 2016, her colleagues received emails purporting to share a copy of her arrest warrant — actually a credential-harvesting trap. Other lures impersonated event invitations, travel-ban notifications, and shared documents.

The second phase shifted to more generic content — fake Gmail and Dropbox "account security" warnings and package-delivery notices — spread across dozens of attacker-controlled domains. The operators relied on the open-source Gophish framework and roughly 33 domains hosted on European providers. Crucially, the attacks used classic credential phishing rather than malware, sidestepping antivirus detection and exploiting the targets' reliance on Gmail and Dropbox.

Impact

At least 92 phishing messages documented against 7 named NGOs plus numerous individual activists, lawyers, and journalists.
Targeted organizations included the Egyptian Initiative for Personal Rights (EIPR), the Cairo Institute for Human Rights Studies (CIHRS), the Association for Freedom of Thought and Expression (AFTE), the Egyptian Commission for Rights and Freedoms (ECRF), Nazra for Feminist Studies, and the Nadeem Center.
Nearly all victims were implicated in Case 173, which already subjected them to asset freezes, travel bans, and arrests.

Attribution

Citizen Lab explicitly declined to conclusively attribute Nile Phish to a specific sponsor. However, it emphasized that the campaign showed "intimate familiarity" with the targeted NGOs' activities and an ability to phish within hours of Egyptian government actions — including arrests and prosecutorial moves in Case 173. The report noted this timing strongly suggested either coordination with, or close access to, Egyptian state operations.

Why it matters

Nile Phish became a landmark case in digital repression of civil society. It showed that effective, large-scale surveillance of dissidents does not require costly exploits or commercial spyware — well-crafted, context-aware phishing can be devastatingly effective against under-resourced NGOs. The campaign's tight synchronization with judicial and police actions in Case 173 illustrated how legal persecution and cyber-operations can reinforce each other, and it cemented Citizen Lab's methodology of pairing technical analysis with on-the-ground human-rights documentation.

Timeline

November 24, 2016

Earliest documented Nile Phish message; the campaign's first phase uses hyper-personalized lures tied to current events.

December 7, 2016

Within hours of activist Azza Soliman's arrest, her colleagues receive phishing emails purporting to contain her 'arrest warrant.'

December 1, 2016

Phase two begins, shifting to generic Gmail/Dropbox account-security and package-delivery lures across new domains.

January 31, 2017

The most recent message in Citizen Lab's dataset is sent; the campaign is still active at the time of analysis.

February 2, 2017

Citizen Lab publishes 'Nile Phish,' documenting 92+ messages against 7 NGOs and numerous individuals tied to Case 173.

Sources

citizenlab.cahttps://citizenlab.ca/2017/02/nilephish-report/

theintercept.comhttps://theintercept.com/2017/02/02/egyptian-rights-activists-are-targeted-by-sophisticated-hacking-attacks/

helpnetsecurity.comhttps://www.helpnetsecurity.com/2017/02/02/ngos-phishing/

thehill.comhttps://thehill.com/policy/cybersecurity/317528-egyptian-ngos-targeted-in-phishing-campaign/

madamasr.comhttps://www.madamasr.com/en/2017/02/02/news/u/civil-society-organizations-activists-targeted-by-2-month-long-hacking-campaign/

Related incidents

PhishingContainedJune 23, 2026

Phishing breach at healthtech firm Xsolis exposes 1.4 million people

Xsolis, a US healthcare AI vendor, disclosed that a January phishing attack exposed the personal and protected health information of nearly 1.4 million people.

Victim: Xsolis
Records: 1.4M

Data breachResolvedDecember 30, 2017

HoundDawgs data breach (2017)

In December 2017, the Danish torrent tracker known as HoundDawgs suffered a data breach. More than 55GB of data was dumped publicly and whilst there was initially contention as to the severity of the incident, the data did indeed contain more than 45k unique email addresses complete extensive logs…

Victim: HoundDawgs
Records: 45.7K

Data breachResolvedOctober 1, 2017

Legendas.TV data breach (2017)

In October 2017, the now defunct Brazilian service for retrieving subtitles in Portuguese Legendas.TV suffered a data breach that exposed nearly 4M customer records. The impacted data included names, usernames, email and IP addresses and unsalted SHA-1 hashes.

Victim: Legendas.TV
Records: 3.9M

Data breachResolvedJuly 18, 2017

B2B USA Businesses data breach (2017)

In mid-2017, a spam list of over 105 million individuals in corporate America was discovered online. Referred to as "B2B USA Businesses", the list categorised email addresses by employer, providing information on individuals' job titles plus their work phone numbers and physical addresses.

Victim: B2B USA Businesses
Records: 105.1M