• Posted by: Eng. Donya Bino
• February 10, 2026

HackOnChat Campaign: Fake WhatsApp Portals

A worldwide (and large-scale) phishing operation was exposed by cybersecurity small company, CTM360 in November 2025 called HackOnChat (HoC). This campaign has been targeting WhatsApp users all over the world by utilizing fake portals (which resembled the WhatsApp Web login screen) to hijack WhatsApp accounts. The main tactic of this campaign is to steal session tokens from unsuspecting victims' WhatsApp accounts through methodologies such as scanning a QR code with their phone camera or intercepting an OTP sent to their phone for obtaining non-cash assistance.

The HoC campaign also takes advantage of the "Linked Devices" feature of the WhatsApp platform and how trusted workflows are set up. The HoC campaign allows an attacker to link new devices to those of the victim, providing an attacker with complete access and control over a WhatsApp account. Once an account is hijacked, the attacker can leverage that account to scam contacts (for instance, by requesting "money in an emergency") and stealing sensitive information from the victim. The HoC campaign can easily scale due to the many thousands of disposable phishing URLs created by the attackers.

Ways the Attack is Peformed: There are two main types of attacks:
1. Session hijacking via fake WhatsApp Web ports: through impersonating WhatsApp to send phishing emails to users with:
a) Phishing “security alert” Emails:“Your account has been hacked, verify your account now”
b) Spoofed invite to groups or friendships with links they are urgent
c) Email “Scan this QR Code to join chat” or “login to see message”

Because the link sends the user to a fake WhatsApp web page that almost has the same look as the real WhatsApp QR code scanner, when they scan the QR with their phone:
a) the WhatsApp program on their phone generates a session token for the phone being linked
b) the attackers collect this token by using JavaScript on the fake QR scanner or intercepting the link via proxy
c) the attackers then import the session token using their browser/session and have access to the victims’ chats, contacts, and photos
The victim does not have to enter any password or OTP, the QR code scan has given them an active session.

2. Account takeover through OTP deception: The impersonation of WhatsApp sends spoofed “phishing” invites to users, to “enter your phone number to receive a code” and a fake OTP page is shown, and the user receives a legitimate code from WhatsApp that they enter on the phish site, as to link their device as an additional device with the attacker’s, thus gaining control of the account.

Low cost domains (.cc, .net, .icu and .top) are utilized to power these portals and hosted on platforms such as Vercel, Netlify, GitHub Pages, and WIX for those looking to create a multilingual portal, which has been successful in the middle east, as well as parts of Asia, such as Jordan, thus giving you access to targeted regions around the globe. As of late 2025 CTM360 has tracked over 9,000 URLs and 450+ victims with rapid increases in the number of sites and victims being added to its database each day.

Why This Matters
1. Immediate Abuse: Attackers impersonate you via messaging contacts ("I lost my phone, please send money urgently" or "Please verify this code") in an attempt to defraud them.
2. Chain Attacks: Once an account is hijacked, it spreads more phishing links (i.e., creating a viral spread).
3. Data Theft: Access to your chats, photos, voice notes, and any associated business accounts is compromised.
4. Financial Loss: Losses typically arise from improper transfers or cryptocurrency.

Ways to Stay Safe
1. Do not scan QR codes from random sources, including messages that you receive without requesting them (such as invitations from friends) even if they seem legitimate.

2. Verify every link before clicking on it by hovering over it or holding down your finger on a mobile device to see if the link is legitimate (you should see the URL for WhatsApp Web is web.whatsapp.com).

3. Regularly check the list of devices linked to your WhatsApp account by going to your settings under "Linked Devices." Log out of any devices you do not recognize.

4. Use "Two-Step Verification" in your WhatsApp settings to add an additional layer of security when connecting new devices (for instance, adding a PIN number for each new device you authenticate with WhatsApp).

5. Never enter a request for an OTP when transacting on-line. WhatsApp will never request an OTP from you to authenticate your account outside of the WhatsApp application itself.

6. Use antivirus software (e.g., Bitdefender or Malwarebytes) to protect yourself from email-based phishing and malware attacks.

7. If your account has been compromised, immediately log out of all devices using your trusted phone log into and change all accounts and report compromise contacts to your friends.

This campaign is an example of how Social Engineering and legitimate features (QR Code linking) make it possible to bypass even the best defenses. Always be skeptical of any "verify now" request from WhatsApp; these are the most common methods used by attackers to steal your session.