Global WhatsApp Account Hijacking Campaign via Social Engineering
A rapidly expanding WhatsApp account hijacking campaign, dubbed HackOnChat by CTM360, is targeting users worldwide through a network of deceptive authentication portals and impersonation pages. Attackers exploit WhatsApp's web interface and use social engineering tactics, such as fake security alerts and spoofed group-invite messages, to trick users into compromising their accounts. The campaign leverages thousands of malicious URLs hosted on inexpensive domains, with a surge in activity noted across the Middle East and Asia. Once an account is compromised, attackers use it to target the victim's contacts for further scams, data theft, and extortion, often propagating the attack chain through phishing messages sent from the hijacked account.
Research from UC San Diego highlights the broader social engineering strategies employed by scammers, including the use of long, trust-building conversations that often transition to WhatsApp as the preferred platform for executing fraud. The study found that scammers typically delay financial requests until after extensive interaction, using personal conversation and subtle verification techniques to build credibility. These findings underscore the effectiveness of WhatsApp as a tool for scammers and the sophistication of their methods in orchestrating account takeovers and subsequent fraudulent activities.
Timeline
Nov 20, 2025
HackOnChat activity surges in the Middle East and Asia
CTM360 said activity logs showed hundreds of incidents in recent weeks, with a notable increase in attacks targeting users in the Middle East and Asia. After compromising accounts, attackers used them to scam contacts, spread further phishing, and harvest private data for fraud, impersonation, or extortion.
Nov 20, 2025
CTM360 identifies the HackOnChat WhatsApp hijacking campaign
CTM360 reported a global WhatsApp account-hijacking operation dubbed "HackOnChat" that uses fake authentication portals, WhatsApp Web lookalike pages, and spoofed group-invite messages to steal sessions and take over accounts. The company said the campaign had generated thousands of malicious URLs at scale and was affecting users across multiple regions.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
GhostPairing Social Engineering Attack Enables WhatsApp Account Takeover
A new WhatsApp account takeover campaign, dubbed the **GhostPairing attack**, leverages social engineering to trick users into granting attackers access to their accounts without requiring password theft or SIM swapping. Victims receive a message from a trusted contact, typically stating "Hey, I just found your photo!" and containing a link that appears to be a Facebook preview. When the link is clicked, users are directed to a convincing fake Facebook page that prompts them to "verify" their identity. This process covertly guides the victim through WhatsApp's device-linking flow, resulting in the attacker's device being added as a linked device on the victim's account. The attack exploits WhatsApp's legitimate device pairing feature, making the compromise appear as a user-approved action. The campaign was first observed in Czechia, with messages sent from compromised accounts to local contacts, and the infrastructure relies on a network of lookalike domains designed to mimic Facebook. Security researchers emphasize that there is no password theft or SIM swap involved; instead, the attack relies entirely on user manipulation. Users are advised to be cautious of unexpected messages, even from known contacts, and to scrutinize any requests to verify or link devices within WhatsApp.
1 months ago
WhatsApp Phishing Campaigns Exploiting Online Voting Pretexts
A sophisticated phishing campaign has been targeting WhatsApp users globally by leveraging fake online voting pages as a social engineering lure. Attackers initiate contact through personalized messages, often impersonating friends or relatives whose accounts have already been compromised, and request recipients to vote for a contestant in a fabricated competition. The phishing messages are distributed via WhatsApp groups, private chats, and other social networks, increasing their reach and credibility. Victims are directed to convincingly designed phishing websites that mimic legitimate voting polls, complete with real participant photos, vote buttons, and dynamic counters to enhance authenticity. These phishing sites are produced in multiple languages, including English, Spanish, German, Turkish, Danish, and Bulgarian, indicating a broad, international scope and the likely use of AI-driven phishing kits. Upon clicking the vote button, users are prompted to provide sensitive information, which can lead to account compromise and further propagation of the scam through hijacked accounts. The campaign demonstrates a shift in phishing tactics from traditional email-based attacks to mobile-first platforms such as WhatsApp, SMS, and other messaging services. This trend is corroborated by industry data showing that 41% of phishing incidents now employ multichannel approaches, including smishing, vishing, and quishing. The move to mobile platforms makes these attacks harder to detect and prevent, as they exploit the trust and immediacy associated with personal messaging apps. Security experts warn that these mobile phishing campaigns are more likely to succeed due to their personalized nature and the difficulty users face in distinguishing legitimate requests from fraudulent ones. In response, organizations are adopting AI-driven security solutions that analyze message content and intent in real time to identify and block social engineering attempts before users are compromised. The ongoing evolution of phishing tactics underscores the need for heightened user awareness, robust mobile security measures, and continuous monitoring of emerging threats targeting messaging platforms. Enterprises are advised to educate employees about the risks of unsolicited voting requests and to implement technical controls that can detect and mitigate phishing attempts across all communication channels. The widespread nature of this campaign highlights the importance of a multi-layered defense strategy that addresses both technological and human vulnerabilities. As attackers continue to innovate, proactive threat intelligence and adaptive security solutions remain critical to protecting users from account takeover and data theft. The incident serves as a reminder that social engineering remains a potent tool for cybercriminals, especially when combined with convincing pretexts and advanced phishing infrastructure. Organizations and individuals alike must remain vigilant against evolving phishing schemes that exploit trust and social connections on mobile platforms.
3 weeks ago
Phishing Kit Hijacks WhatsApp Accounts via WhatsApp Web QR Code and Targets Iran-Related Individuals
A phishing campaign targeting high-profile individuals involved in Iran-related activities has been using WhatsApp messages to lure victims to a fake site that impersonates *WhatsApp Web* and steals access to accounts and other credentials. U.K.-based Iranian activist and investigator **Nariman Gharib** shared the phishing link and technical findings, which indicated the operation aimed to compromise WhatsApp accounts and harvest credentials (including **Gmail** and other online logins), with victims including a Middle Eastern academic in national security studies, the head of an Israeli drone maker, a senior Lebanese cabinet minister, at least one journalist, and individuals with U.S. phone numbers. TechCrunch reported it was able to view a real-time copy of victim submissions because the attackers’ server storing responses was left exposed without a password, showing dozens of victims had entered credentials and were likely subsequently compromised. Technical reporting described the attack as a “surveillance kit” that hijacks accounts by abusing the WhatsApp Web linking flow: the phishing page continuously polls the attacker’s infrastructure and presents a live QR code tied to the attacker’s own WhatsApp Web session, so when a victim scans it they unknowingly authenticate the attacker’s browser and link their account. The infrastructure was reported as hosted on a **DuckDNS** domain and running on an **Ubuntu** server with **nginx**. Beyond account takeover, the kit was described as requesting browser permissions that could enable invasive monitoring—camera, microphone, and location access—allowing attackers to capture photos, record audio in intervals, and track location in near real time; attribution remained uncertain in one report, while another linked the activity to Iranian intelligence.
1 months ago