Hackers deploy thousands of URLs to seize WhatsApp accounts worldwide

In recent weeks, a new global scam campaign dubbed 'HackOnChat' has been uncovered by cybersecurity firm CTM360. The scheme specifically targets users of WhatsApp by exploiting its web-portal (“WhatsApp Web”) functionality and trusted user workflows.

Investigators say the campaign uses two main tactics. First, session hijacking, where attackers leverage the 'linked device' feature of WhatsApp Web to attach a new device to a victim’s account without the user’s direct awareness. Second, account takeover, in which victims are tricked via fake login portals to surrender their authentication one-time codes, handing attackers full control of the account.

These malicious portals are deployed at scale: CTM360 identified thousands of URLs hosted on inexpensive domain names, often built using low-cost web-builders, and optimised with multilingual support and country selectors to target users. After gaining access, the compromised WhatsApp account is used to message the victim’s contacts, often requesting money or sensitive data under the guise of someone trusted. From there the attack can cascade, as one compromised account propagates the scam further.

This campaign arrives at a time when WhatsApp is already under pressure from rising fraud. In August 2025, WhatsApp’s parent company, Meta Platforms, reported having taken down 6.8 million accounts linked to global scam centres in the first half of the year. Analysts note that messaging apps have become major vectors for social engineering, moving beyond classic email-phishing into multi-channel attacks that exploit human trust and familiarity.

For users of WhatsApp, the risk is twofold: not only is the account itself compromised, but the attacker can reach a trusted social graph (the user’s contacts) and exploit that trust to extract money or data. The methods are deceptively simple — trick a user into clicking a link, entering a code, and you have full account access.

Security teams are now assessing how widely distributed the campaign is, how many active sessions have been hijacked, and whether specific regions or user-types (for example high-profile individuals or enterprise users) are preferentially targeted. On the user side, this highlights the continuing importance of enabling two-step verification, treating one-time codes as secret, and being skeptical of any link that purports to be WhatsApp Web or “security alert” prompts. Kaspersky’s recent advisory also emphasises these protections in a similar context.

As messaging platforms continue to draw more users and more attention from adversaries, the attack surface grows. Trust, familiarity and convenience become part of the exploit chain. The HackOnChat campaign offers a reminder: even in end-to-end encrypted services, the weakest link is often user behaviour and interface design.