Cybersecurity researchers at CTM360 have uncovered an expanding global campaign that hijacks WhatsApp accounts by exploiting deceptive login portals and impersonation tactics. The operation, called HackOnChat, imitates the familiar WhatsApp Web environment to manipulate users into compromising their own accounts. This campaign has grown quickly, targeting individuals across multiple regions and using sophisticated social engineering techniques to secure unauthorized access.
Scale of the HackOnChat Campaign
Analysts found thousands of malicious links hosted on low cost top level domains and created through fast website building tools. This setup allows attackers to produce new phishing pages in large numbers. Activity logs gathered by investigators reveal a growing number of incidents in recent weeks. The most significant spikes have been observed across the Middle East and Asia.
You can read the full CTM360 report here: Ctm360 reports
Core Techniques Used in the Attacks
The HackOnChat operation largely relies on two dominant methods to compromise WhatsApp accounts.
1. Session Hijacking
Attackers exploit WhatsApp’s linked device feature to hijack active WhatsApp Web sessions. If a victim scans a fraudulent QR code, the attacker gains access to the session and can view or send messages.
2. Account Takeover
In these cases, victims are manipulated into handing over authentication keys. Once the attackers obtain these keys, they gain complete control of the account. To lure victims, they distribute phishing links styled as:
• Fake security alerts
• WhatsApp Web imitation portals
• Spoofed group invitation messages
These malicious pages are designed for global use, offering multilingual support and country code selectors that tailor the interface to different regions.
How Attackers Exploit Compromised Accounts
When attackers gain access, they immediately begin using the hijacked account as a tool for further scams. This often includes contacting the victim’s friends, family, or colleagues to request money, confidential data, or verification codes. Since the account appears legitimate, victims’ contacts may trust the messages without suspicion.
Attackers may also explore stored messages, images, audio files, and documents, gathering personal or financial details. This stolen data can be used for fraud, impersonation, blackmail, or identity theft. In many cases, the compromised account becomes a platform for spreading phishing links to additional contacts, creating a chain reaction that amplifies the impact of the campaign.
Explore more insights from CTM360 at www.ctm360.com
