A Global Scam Built on Familiarity
In recent weeks, cybersecurity researchers have exposed a rapidly spreading cyber-fraud operation targeting WhatsApp users globally. Known as HackOnChat, this campaign employs a network of deceptive web portals designed to mimic WhatsApp’s official login environment, particularly the platform’s web-based dashboard, WhatsApp Web. The simplicity of the mechanics belies their sophistication, showcasing how even end-to-end encrypted platforms can fall prey to attacks that focus on exploiting human behavior rather than technical vulnerabilities.
The HackOnChat campaign has arisen during a period of heightened vulnerability for WhatsApp. Meta Platforms, the app’s parent company, reported in August 2025 that it had removed 6.8 million accounts linked to global scam centers in just six months. This concerning trend reveals that messaging platforms have become prime targets for social engineering tactics, leveraging user familiarity as a weapon.
How the Attack Works: A Two-Stage Method
Investigators describe HackOnChat as relying on two primary tactics that exploit WhatsApp’s convenience-driven design.
1. Session Hijacking
The first tactic involves using WhatsApp’s linked device feature. Attackers coax victims into unknowingly pairing an unauthorized device with their account. This gives intruders access to incoming messages, contact lists, and ongoing chats without immediately triggering alerts. The seamlessness of this process is a testament to the user-friendly design of WhatsApp, which unfortunately also leaves room for exploitation.
2. Account Takeover
The second tactic redirects victims to portals that closely resemble WhatsApp’s official login interface. These impersonators request users to enter a verification code sent by WhatsApp—a standard security measure. Once the user submits the code, attackers gain full control over the account, enabling them to reset security settings, monitor chats, and impersonate the victim efficiently. Cybersecurity analysts emphasize that the most significant vulnerability doesn’t lie within the encryption but rather in the “trusted workflows”; users often take mental shortcuts when interfaces appear familiar or prompts resemble anticipated system messages.
Why the Threat Is Growing
The proliferation of malicious portals reflects how low the barrier to entry has become for large-scale phishing campaigns. According to CTM360, various threat groups have registered thousands of inexpensive domain names, employing template-based website builders and automated tools to replicate the WhatsApp Web environment in multiple languages.
Because these portals can be tailored with localized scripts and country selectors, attackers can effectively target users across various regions, income levels, and device types. Once a WhatsApp account is compromised, the attack rarely stops; hijacked accounts are immediately used to message the victim’s contacts, often family members or trusted colleagues, requesting money, sensitive documents, or identity information. This tactic works effectively, as messages appear to come from known contacts, facilitating a cascading effect of further attacks.
The Human Factor and the Road Ahead
The HackOnChat campaign brings to light a broader challenge facing encrypted communication platforms: the strength of technical safeguards is often matched—or undermined—by the behaviors associated with them. As security teams investigate the campaign’s scope, they’re keen to understand how many sessions have been hijacked, whether specific user groups, such as senior executives or enterprise customers, are being targeted, and how widely these malicious portals have spread.
On the user front, experts highlight several critical habits that can help combat such threats:
- Enabling two-step verification: This simple but effective measure adds an extra layer of security.
- Treating one-time codes as confidential: Users should never share these codes, not even with trusted contacts.
- Scrutinizing links: Careful examination of any link that claims to be WhatsApp Web or related security alerts is essential.
- Closing old or unused linked sessions: Regularly reviewing linked devices in the app’s settings can help maintain account security.
Cybersecurity firms like Kaspersky have issued parallel advisories, pointing out that messaging platforms are increasingly common entry points for social engineering attacks globally. As technologies continue to evolve, maintaining vigilance and adopting proactive security measures will become ever more crucial in safeguarding personal and professional communications.
