In recent weeks, a new global scam campaign dubbed 'HackOnChat' has been uncovered by cybersecurity firm CTM360. The scheme specifically targets users of WhatsApp by exploiting its web-portal (“WhatsApp Web”) functionality and trusted user workflows.

Investigators say the campaign uses two main tactics. First, session hijacking, where attackers leverage the 'linked device' feature of WhatsApp Web to attach a new device to a victim’s account without the user’s direct awareness. Second, account takeover, in which victims are tricked via fake login portals to surrender their authentication one-time codes, handing attackers full control of the account.

These malicious portals are deployed at scale: CTM360 identified thousands of URLs hosted on inexpensive domain names, often built using low-cost web-builders, and optimised with multilingual support and country selectors to target users. After gaining access, the compromised WhatsApp account is used to message the victim’s contacts, often requesting money or sensitive data under the guise of someone trusted. From there the attack can cascade, as one compromised account propagates the scam further.