The Digital Risk Protection (DRP) team at cybersecurity firm CTM360 has exposed an extensive global campaign targeting WhatsApp users, which they have named “HackOnChat.” This operation focuses on hijacking user accounts through sophisticated telecommunication exploits combined with social engineering tactics.

The threat actors behind HackOnChat were observed offering their account hijacking services as a commercial enterprise. The campaign gained notoriety for its ability to take over a target’s WhatsApp account without any direct interaction from the victim in many cases.

Attack Vector: Exploiting SS7 Vulnerabilities

The primary method used in the HackOnChat campaign involves the exploitation of weaknesses in the Signaling System No. 7 (SS7) protocol. SS7 is a set of telephony signaling protocols used by most telecommunication networks worldwide to route calls and text messages. By exploiting vulnerabilities within this system, attackers can intercept communications, including the SMS messages containing the one-time passwords (OTPs) that WhatsApp sends to verify a user’s phone number.

Once the attackers request a new login for the target’s phone number, they use the intercepted OTP to register the WhatsApp account on a new device. This action effectively logs the legitimate user out and gives the attacker full control of the account, including access to contacts and groups.

The ‘HackOnChat’ Operation and Impact

CTM360’s investigation revealed that HackOnChat is not a series of random attacks but a coordinated operation. The service was advertised in underground forums, indicating an organized structure. After successfully hijacking an account, the threat actors often proceed to contact the victim’s friends, family, and colleagues. These subsequent interactions are typically aimed at financial extortion or spreading further malicious links, leveraging the trust associated with the victim’s identity.

The exposure of this campaign by CTM360 highlights the persistent risks associated with legacy telecom infrastructure and underscores the importance of robust security measures for messaging applications. The findings serve as a critical alert to users and service providers about the real-world impact of SS7 protocol flaws.

Source: https://thehackernews.com/2025/11/ctm360-exposes-global-whatsapp.html