The BJP spokesperson's compromised account becomes the latest in a growing line of Indian public figures whose WhatsApp identities have been hijacked to extract money from unsuspecting contacts, arriving just days after the government forced Meta to suspend a feature it warned could make such impersonation easier still.

MP Sambit Patra’s WhatsApp Account Hacked; Public Warned Against Fake Money Requests

The420 Web Correspondent
7 Min Read

Bharatiya Janata Party national spokesperson and Member of Parliament Sambit Patra announced on Sunday that his WhatsApp account had been hacked, warning the public not to trust any messages, calls, or requests for money sent from his number. He said the matter had been reported to the police, and that necessary legal and technical action was already underway.

In a post on X, Patra said that after his WhatsApp account was compromised, misleading messages were being sent to people from his number, with fraudsters seeking money through various means. He clarified that all such messages were completely fake and had no connection with him, urging people not to trust any financial transaction requests, calls, or messages originating from his number until the account was fully secured and restored. He also advised recipients not to send money under any circumstances and to avoid responding to any suspicious communication. Following the incident, the matter was escalated to senior police officials, and a technical investigation was launched to examine how the cybercriminals gained access and to identify those responsible.

Not the First Time, Not Even the First This Cycle

Patra’s case fits a pattern that has now touched public representatives across party lines. Last year, Nationalist Congress Party (Sharadchandra Pawar faction) working president and MP Supriya Sule’s WhatsApp account was similarly compromised, with hackers allegedly demanding US$400 to restore access. Sule filed an online complaint, and investigators found her account had been activated on another device, restoring it within a few hours through technical intervention. She had also appealed to the public to remain vigilant, avoid responding to suspicious messages from unknown numbers, and immediately report any unusual activity to police, guidance that closely mirrors Patra’s own warning this week.

The recurrence of this exact scenario, a known public figure’s account compromised and used to solicit money from their contact list, underscores how effective the underlying technique remains regardless of the victim’s public profile or security awareness.

How These Takeovers Actually Happen

Security researchers tracking WhatsApp account takeovers in 2026 point to a small number of well-established techniques that account for the overwhelming majority of such incidents. The most common remains verification-code theft: WhatsApp protects logins with a six-digit SMS code, and scammers exploit this safeguard by sending victims a message claiming unusual activity has been detected and asking them to reply with the code just received to secure the account. The moment a victim forwards that one-time password, the attacker takes over the account entirely and can then message the victim’s full contact list to widen the fraud.

A separate and less widely understood method involves abusing call forwarding features. In this technique, hackers trick users into dialling special codes such as *21[number]#, which silently redirects incoming calls to a number controlled by the attacker. Once activated, any verification call from WhatsApp, which typically contains a one-time code, is intercepted by the hacker, granting account access without the attacker ever needing physical access to the victim’s phone. This method is particularly deceptive because victims are often led to believe they are “fixing a bug” or “verifying their line,” entirely unaware they are handing over control of their account. Security analysts note that verification-code theft, linked-device abuse, or SIM swaps together account for nearly every reported takeover, with mobile-first social engineering continuing to succeed because such messages are short, personal, and manufactured to feel urgent.

An Ecosystem the Government Is Actively Trying to Reshape

Patra’s hacking incident lands at a particularly charged moment for WhatsApp security policy in India. On June 29, WhatsApp announced a new feature allowing users to reserve a unique username, positioned by the company as a privacy upgrade that would reduce reliance on phone numbers and, by extension, reduce SIM-swap-driven attacks. Within 48 hours, the Ministry of Electronics and Information Technology sent Meta a formal legal notice ordering the feature suspended for Indian users, warning that it could materially increase the incidence of online fraud, phishing, digital arrest scams and impersonation attacks by allowing bad actors to contact victims without exposing their phone number, a red flag that currently helps recipients sense when a message originates from an unfamiliar source. As of this week, WhatsApp usernames remain unavailable in India.

The irony embedded in Patra’s case is notable: his account was compromised using the very phone-number-based verification system the government is currently defending as a safeguard, illustrating that the debate over WhatsApp’s identity architecture is unlikely to have a clean answer either way.

What Experts and Police Are Advising

Commenting on the incident, renowned cybercrime expert and former IPS officer Prof. Triveni Singh said cybercriminals frequently exploit social engineering techniques to misuse the digital identities of trusted individuals, advising people to independently verify any request for money received from a known contact before making a payment, even when the request appears to come from a familiar and trusted number. He also recommended immediately changing passwords, enabling two-step verification, and informing both the platform and the police the moment any suspicious activity is detected on a WhatsApp or other digital account.

Police have reiterated the same guidance, urging the public to remain alert and independently verify any suspicious message, link, or financial request before acting, rather than relying on the apparent familiarity of the sender’s identity. With the investigation into Patra’s compromised account ongoing, officials said further legal proceedings will follow based on the technical evidence gathered, though for the contacts who may have already received fraudulent requests in his name, the more immediate lesson is one that has now been repeated by multiple Indian parliamentarians in as many years: a familiar name and number on WhatsApp is no longer sufficient proof of who is actually on the other end.

Stay Connected