A newly uncovered global campaign is exploiting WhatsApp’s most familiar features — trust, convenience, and seamless connectivity — to hijack user accounts at scale. The scheme, identified by cybersecurity firm CTM360, reveals how even end-to-end encrypted platforms remain vulnerable when attackers target human behaviour rather than the encryption itself.
A Global Scam Built on Familiarity
In recent weeks, cybersecurity researchers have traced a rapidly spreading cyber-fraud operation that preys on WhatsApp users worldwide. The campaign, which investigators have named “HackOnChat,” uses a network of deceptive web portals designed to mimic WhatsApp’s official login environment, particularly the platform’s web-based dashboard known as WhatsApp Web.
The mechanics are deceptively simple but operationally sophisticated: hackers deploy thousands of low-cost, multilingual phishing pages that prompt users to scan a QR code or enter an authentication token. Once a victim complies, the attacker silently attaches a new device to the user’s account or captures their one-time passcode — steps that, in normal use, enable seamless syncing across laptops, tablets, and browsers.
Analysts say the campaign has emerged at a moment of heightened vulnerability for WhatsApp. Meta Platforms, the app’s parent company, reported in August 2025 that it had removed 6.8 million accounts linked to global scam centres in just six months. The discovery of HackOnChat further underscores how messaging platforms have become prime terrain for social engineering tactics that exploit user familiarity rather than technical vulnerabilities.
How the Attack Works: A Two-Stage Method
Investigators describe HackOnChat as relying on two primary tactics that exploit WhatsApp’s convenience-driven design.
First, session hijacking- Using the “linked device” feature of WhatsApp Web, attackers coax victims into unknowingly pairing an external device with their account. This gives intruders access to incoming messages, contact lists, and ongoing chats, all without triggering an immediate alert.
Second, account takeover- Victims are redirected to portals that resemble WhatsApp’s login interface. These portals request users to enter a verification code sent by WhatsApp — a standard security step. But once the code is entered, attackers gain full account control, allowing them to reset security settings, monitor chats, and impersonate the victim with alarming ease.
Cybersecurity analysts stress that the weakest link is rarely the encryption that protects messages; rather, it is the “trusted workflows” — the mental shortcuts users take when an interface looks familiar or when a prompt resembles an expected system message.
Why the Threat Is Growing
The proliferation of malicious portals underlines how low the barrier to entry has become for large-scale phishing campaigns. According to CTM360, threat groups have registered thousands of inexpensive domain names, using template-based site builders and automated tools to replicate the WhatsApp Web environment in multiple languages.
The global spread of these portals allows attackers to target users across regions, income levels, and device types, often tailoring pages with local scripts and country selectors.
Once a WhatsApp account is compromised, the attack rarely stops there. Hijacked accounts are immediately used to message the victim’s contacts — often family members or trusted colleagues — requesting money, sensitive documents, or identity information. The deception works because the outreach appears to come from someone the recipient knows.
From there, the scam can cascade. Each new compromised account becomes a launchpad for additional attacks, widening the circle of victims in a pattern that investigators say resembles “a slow-moving but relentless chain reaction.”
The Human Factor and the Road Ahead
The HackOnChat campaign highlights a broader challenge for encrypted communication platforms: technical safeguards are only as strong as the behaviours surrounding them.
Security teams are now working to assess the full scope of the campaign — how many sessions have been hijacked, whether specific user groups (such as senior executives or enterprise users) are being targeted, and how widely these malicious portals have been deployed.
On the user side, experts emphasise habits that remain critical but often overlooked:
- enabling two-step verification;
- treating one-time codes as confidential;
- scrutinising links that claim to be WhatsApp Web or “security alerts”;
- and closing old or unused linked sessions in the app’s settings.
Kaspersky and other cybersecurity firms have issued parallel advisories, warning that messaging platforms have become the most common entry points for social engineering attacks worldwide.
