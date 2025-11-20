CTM360 has identified a rapidly expanding WhatsApp account-hacking campaign targeting users worldwide via a network of deceptive authentication portals and impersonation pages. The campaign, internally dubbed HackOnChat, abuses WhatsApp's familiar web interface, using social engineering tactics to trick users into compromising their accounts.

Investigators identified thousands of malicious URLs being hosted on inexpensive top-level domains and rapidly generated through modern website-building platforms, allowing attackers to deploy new pages at scale. The campaign's activity logs show hundreds of incidents in recent weeks, with a noticeable surge across the Middle East and Asia.

The hacking operations and the exploitation techniques

Two techniques dominate these hacking operations. The Session Hijacking, where threat actors misuse the linked-device functionality to hijack active WhatsApp Web sessions, and Account Takeover, which involves deceiving victims into surrendering authentication keys, granting attackers full control of their accounts. Attackers push these links using templates of fake security alerts, WhatsApp Web lookalike portals, and spoofed group-invite messages. These sites are further optimized for global reach, featuring multilingual support and a country-code selector that adapts the interface for users across multiple regions.

Once scammers gain control of a WhatsApp account, they exploit it to target the victim's contacts, often requesting money or sensitive information under the guise of a trusted source. They may also sift through messages, media, and documents to steal personal, financial, or private data, which can be used for fraud, impersonation, or extortion. Frequently, these attacks extend further as the compromised account is used to send phishing messages to the victim's contacts, creating a chain of attacks that spreads the scam.

HackOnChat demonstrates that social engineering remains one of the most scalable attack vectors today, especially when attackers exploit trusted and familiar interfaces and the human trust built around them.

