Phishing Kit Hijacks WhatsApp Accounts via WhatsApp Web QR Code and Targets Iran-Related Individuals
A phishing campaign targeting high-profile individuals involved in Iran-related activities has been using WhatsApp messages to lure victims to a fake site that impersonates WhatsApp Web and steals access to accounts and other credentials. U.K.-based Iranian activist and investigator Nariman Gharib shared the phishing link and technical findings, which indicated the operation aimed to compromise WhatsApp accounts and harvest credentials (including Gmail and other online logins), with victims including a Middle Eastern academic in national security studies, the head of an Israeli drone maker, a senior Lebanese cabinet minister, at least one journalist, and individuals with U.S. phone numbers. TechCrunch reported it was able to view a real-time copy of victim submissions because the attackers’ server storing responses was left exposed without a password, showing dozens of victims had entered credentials and were likely subsequently compromised.
Technical reporting described the attack as a “surveillance kit” that hijacks accounts by abusing the WhatsApp Web linking flow: the phishing page continuously polls the attacker’s infrastructure and presents a live QR code tied to the attacker’s own WhatsApp Web session, so when a victim scans it they unknowingly authenticate the attacker’s browser and link their account. The infrastructure was reported as hosted on a DuckDNS domain and running on an Ubuntu server with nginx. Beyond account takeover, the kit was described as requesting browser permissions that could enable invasive monitoring—camera, microphone, and location access—allowing attackers to capture photos, record audio in intervals, and track location in near real time; attribution remained uncertain in one report, while another linked the activity to Iranian intelligence.
Timeline
Jan 16, 2026
Phishing site was taken offline
By the time TechCrunch published its analysis, the phishing site was no longer accessible. The takedown followed public scrutiny and technical investigation of the campaign infrastructure.
Jan 16, 2026
Campaign attribution remained disputed as reporting expanded
Public reporting linked the operation to Iranian intelligence or IRGC-linked spearphishing based on observed patterns, while other researchers said the infrastructure could also fit financially motivated cybercrime. This marked a notable attribution debate as more technical details became public.
Jan 16, 2026
TechCrunch found exposed victim logs on attacker server
TechCrunch reported that the attackers’ server exposed victim-submission logs without authentication, allowing real-time viewing of entered credentials and other submitted data. The logs indicated dozens of impacted individuals across the Iranian diaspora and the Middle East, including high-profile targets.
Jan 14, 2026
WhatsApp issued user-safety guidance on suspicious links
WhatsApp responded by advising users not to click links from unknown senders and to report suspicious messages. The company’s statement came as coverage highlighted the campaign’s account-takeover and surveillance risks.
Jan 14, 2026
Researchers documented real-time WhatsApp QR hijacking technique
Analysis of the phishing kit showed it relayed a live WhatsApp Web QR code from the attacker’s browser session to the victim, allowing rapid account hijacking when scanned. The kit also sought browser permissions that could enable collection of location, photos, audio, camera, and microphone access.
Jan 14, 2026
Gharib publicly warned users and shared campaign evidence
After receiving the phishing link, Gharib posted redacted screenshots publicly and warned others not to click suspicious links. He also shared the full phishing URL and a write-up of his findings with TechCrunch and other researchers.
Jan 14, 2026
Nariman Gharib received a WhatsApp phishing message
U.K.-based Iranian activist Nariman Gharib was targeted with a WhatsApp message containing a phishing link. He assessed the activity as aimed at people involved in Iran-related political, media, activist, or research work.
Nov 1, 2025
Phishing domains for the campaign were registered
Lookalike phishing infrastructure used in the campaign included domains such as alex-fabow.online, which TechCrunch reported were registered in early November 2025. The related domains suggested preparation for broader targeting of Gmail and WhatsApp users.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Organizations
Sources
Related Stories
Global WhatsApp Account Hijacking Campaign via Social Engineering
A rapidly expanding WhatsApp account hijacking campaign, dubbed HackOnChat by CTM360, is targeting users worldwide through a network of deceptive authentication portals and impersonation pages. Attackers exploit WhatsApp's web interface and use social engineering tactics, such as fake security alerts and spoofed group-invite messages, to trick users into compromising their accounts. The campaign leverages thousands of malicious URLs hosted on inexpensive domains, with a surge in activity noted across the Middle East and Asia. Once an account is compromised, attackers use it to target the victim's contacts for further scams, data theft, and extortion, often propagating the attack chain through phishing messages sent from the hijacked account. Research from UC San Diego highlights the broader social engineering strategies employed by scammers, including the use of long, trust-building conversations that often transition to WhatsApp as the preferred platform for executing fraud. The study found that scammers typically delay financial requests until after extensive interaction, using personal conversation and subtle verification techniques to build credibility. These findings underscore the effectiveness of WhatsApp as a tool for scammers and the sophistication of their methods in orchestrating account takeovers and subsequent fraudulent activities.
1 months ago
Russian Social-Engineering Campaign Targeting Signal and WhatsApp Accounts
The Dutch intelligence and military security services (**AIVD** and **MIVD**) warned of a **large-scale Russian cyber campaign** targeting individual **Signal** and **WhatsApp** accounts—particularly those of government officials, journalists, and military personnel—by persuading victims to disclose **security verification codes** and **PINs**. The activity does **not** involve breaking end-to-end encryption or exploiting a technical vulnerability in the apps; instead, it abuses legitimate account and security workflows. One commonly observed tactic is impersonation of a *Signal Support* chatbot to solicit verification information, enabling account takeover and access to messages and group chats. The agencies also reported abuse of the apps’ **“linked devices”** functionality, where attackers attempt to attach an additional device to a victim’s account to mirror messages in real time. AIVD/MIVD assessed that the campaign has already produced victims, including within the Dutch government, and that attackers likely accessed sensitive information as a result. Separate reporting about a fake *Red Alert* Android app used to spy on Israeli users describes a different mobile-malware operation (SMS lure, sideloaded trojanized app, extensive permissions, and data exfiltration) and is not part of the Signal/WhatsApp account-takeover campaign.
1 weeks ago
WhatsApp Phishing Campaigns Exploiting Online Voting Pretexts
A sophisticated phishing campaign has been targeting WhatsApp users globally by leveraging fake online voting pages as a social engineering lure. Attackers initiate contact through personalized messages, often impersonating friends or relatives whose accounts have already been compromised, and request recipients to vote for a contestant in a fabricated competition. The phishing messages are distributed via WhatsApp groups, private chats, and other social networks, increasing their reach and credibility. Victims are directed to convincingly designed phishing websites that mimic legitimate voting polls, complete with real participant photos, vote buttons, and dynamic counters to enhance authenticity. These phishing sites are produced in multiple languages, including English, Spanish, German, Turkish, Danish, and Bulgarian, indicating a broad, international scope and the likely use of AI-driven phishing kits. Upon clicking the vote button, users are prompted to provide sensitive information, which can lead to account compromise and further propagation of the scam through hijacked accounts. The campaign demonstrates a shift in phishing tactics from traditional email-based attacks to mobile-first platforms such as WhatsApp, SMS, and other messaging services. This trend is corroborated by industry data showing that 41% of phishing incidents now employ multichannel approaches, including smishing, vishing, and quishing. The move to mobile platforms makes these attacks harder to detect and prevent, as they exploit the trust and immediacy associated with personal messaging apps. Security experts warn that these mobile phishing campaigns are more likely to succeed due to their personalized nature and the difficulty users face in distinguishing legitimate requests from fraudulent ones. In response, organizations are adopting AI-driven security solutions that analyze message content and intent in real time to identify and block social engineering attempts before users are compromised. The ongoing evolution of phishing tactics underscores the need for heightened user awareness, robust mobile security measures, and continuous monitoring of emerging threats targeting messaging platforms. Enterprises are advised to educate employees about the risks of unsolicited voting requests and to implement technical controls that can detect and mitigate phishing attempts across all communication channels. The widespread nature of this campaign highlights the importance of a multi-layered defense strategy that addresses both technological and human vulnerabilities. As attackers continue to innovate, proactive threat intelligence and adaptive security solutions remain critical to protecting users from account takeover and data theft. The incident serves as a reminder that social engineering remains a potent tool for cybercriminals, especially when combined with convincing pretexts and advanced phishing infrastructure. Organizations and individuals alike must remain vigilant against evolving phishing schemes that exploit trust and social connections on mobile platforms.
3 weeks ago