Exposure Of Global Whatsapp Hijacking Campaign

Blog Credit : Trupti Thakur

Image Courtesy : Google

Exposure Of Global Whatsapp Hijacking Campaign

CTM360 Scam Navigator

CTM360 Scam Navigator, inspired by the MITRE framework, is an analysis of the observed scams showing how the scammers navigate through different stages of the scam. Scam Navigator is a tool that categorizes common techniques, providing insights into the typical patterns of fraudulent activity.

Built on the MITRE model, it identifies six key stages in a scam: resource development, trigger, distribution, target interaction, motive, and monetization. There are commonly two phases in these scams, represented as Phase 1 (in white) and Phase 2 (in grey).

By breaking down the scam across its stages, the CTM360 scam navigator provides a clearer understanding of WhatsApp Account Hacking techniques, along with the underlying motives and monetization strategies.

The attackers rely on two primary techniques: Session Hijacking, where the WhatsApp linked device feature is exploited to hijack Whatsapp web sessions, and the Account Takeover, which involves tricking victims into revealing authentication key to seize full ownership of their accounts. Malicious links are using templates of fake security-alert verification, deceptive WhatsApp Web imitation pages, and spoofed group invitation messages, all designed to lure users into these traps and enable the hacking process.

TARGETED REGIONS DISTRIBUTION

The sites are built to target multiple regions by using the methodology of multilingual sites and a prominent country selector that lets victims choose their country and automatically applies the corresponding international dialing code.

By supporting a wide range of country codes and a searchable country list, these sites broadens its geographic reach, simplifies localization, and makes it easy for attackers to target users across multiple regions globally.

Motives of Monetization

Once scammers gain control of a victimʼs WhatsApp account, they exploit it for multiple malicious purposes, primarily driven by financial gain and social engineering opportunities. Their tactics often unfold in several phases:

Targeting Victim Contacts:

After compromising an existing WhatsApp account, malicious actors begin contacting the victimʼs close contacts to request fund transfers. They craft persuasive messages designed to lure their targets to transfer money and sometimes disclose sensitive personal information such as such as banking details or verification codes.

Because messages appear to come from a trusted source, recipients are more likely to comply without verifying authenticity.

Data Theft:

Scammers will rifle through your message history, documents, and media files to extract:

• Personally identifiable information (PII) such as names, addresses, or ID
• Financial or transactional
• Private content that may be used for further fraud, impersonation, or

Collected data may also be cross-referenced with other platforms to access linked services or escalate the compromise.

Spreading the Scam:

The attack often evolves into a chain of hijacks, exploiting trust relationships between contacts. New victims are targeted by phishing messages sent from the compromised account. They may trick your contacts into handing over their one-time passwords (OTPs), leading to a chain of attacks that spreads the scam.

CTM360 has discovered a large-scale malicious campaign targeting WhatsApp users worldwide. This scam is designed to hijack WhatsApp accounts through deceptive phishing schemes that exploit user trust in the WhatsApp brand. Threat actors behind this campaign create fraudulent websites that closely imitate legitimate WhatsApp interfaces, using urgency-driven tactics to trick users into compromising their accounts. We have dubbed WhatsApp Account Hacking scam campaign as “HackOnChatˮ.

This ongoing campaign leverages a variety of social engineering techniques to reach a global audience, often deploying multilingual fake pages to maximize its impact across different regions.

CTM360ʼs Threat Intelligence Team continues to monitor the evolution of these campaigns, analyze their technical mechanisms, and take proactive measures to disrupt their spread. This report provides an in-depth look at the underlying attack infrastructure, outlines detection methodologies, and presents actionable strategies to mitigate the risks posed by HackOnChat.

Key Findings on HackOnChat Scam Campaign:

• Over 9000 phishing URLs uncovered, spanning more than 3 distinct phishing
• These sites are hosted on spoofed dedicated domains; these domains are frequently registered with low-cost or less regulated top-level domains such as .cc,

.net, .icu, and .top, making them easier to set up and harder to trace.

 

• In addition, a significant portion of these sites are deployed using widely available website builders and hosting platforms, including Vercel, WIX, GitHub, and

 

• The scam uses two primary techniques to compromise WhatsApp accounts: Session hijacking and Account
• Over the last 45 days (October–November 2025), CTM360 recorded more than 450 incidents tied to this campaign, an average of over 10 detections per

While victims have been identified globally, the activity shows a notable concentration in the Middle East and Asia, indicating these regions are of particular interest to the threat actors.

CTM360 has identified a rapidly expanding WhatsApp account-hacking campaign targeting users worldwide via a network of deceptive authentication portals and impersonation pages. The campaign, internally dubbed HackOnChat, abuses WhatsApp’s familiar web interface, using social engineering tactics to trick users into compromising their accounts.

Investigators identified thousands of malicious URLs being hosted on inexpensive top-level domains and rapidly generated through modern website-building platforms, allowing attackers to deploy new pages at scale. The campaign’s activity logs show hundreds of incidents in recent weeks, with a noticeable surge across the Middle East and Asia.

The hacking operations and the exploitation techniques

Two techniques dominate these hacking operations. The Session Hijacking, where threat actors misuse the linked-device functionality to hijack active WhatsApp Web sessions, and Account Takeover, which involves deceiving victims into surrendering authentication keys, granting attackers full control of their accounts. Attackers push these links using templates of fake security alerts, WhatsApp Web lookalike portals, and spoofed group-invite messages. These sites are further optimized for global reach, featuring multilingual support and a country-code selector that adapts the interface for users across multiple regions.

Once scammers gain control of a WhatsApp account, they exploit it to target the victim’s contacts, often requesting money or sensitive information under the guise of a trusted source. They may also sift through messages, media, and documents to steal personal, financial, or private data, which can be used for fraud, impersonation, or extortion. Frequently, these attacks extend further as the compromised account is used to send phishing messages to the victim’s contacts, creating a chain of attacks that spreads the scam.

HackOnChat demonstrates that social engineering remains one of the most scalable attack vectors today, especially when attackers exploit trusted and familiar interfaces and the human trust built around them.

 

 

Blog By : Trupti Thakur