WhatsApp Account Hijacking Campaign Exploits Device Linking Feature

A new and highly effective account takeover campaign is sweeping through WhatsApp, exploiting a fundamental feature of the messaging platform to drain bank accounts and steal digital identities in minutes. Cybersecurity authorities, including India's CERT-In, have issued urgent alerts, warning users of a social engineering attack that manipulates the 'Link a Device' functionality to achieve complete account compromise.

The attack methodology is deceptively simple yet devastatingly effective. It begins with the compromise of a victim's trusted contact, often through the same method. The threat actor, now in control of that contact's account, places a voice call to the target. Posing as the friend or family member, the attacker claims to have accidentally sent the target's six-digit WhatsApp registration code via SMS and urgently requests the victim to read it back to 'cancel' the mistaken request.

This six-digit code is the linchpin of the entire attack. It is the one-time PIN sent by WhatsApp to verify a user's phone number during initial setup or when linking a new device. By handing over this code, the victim unwittingly provides the attacker with everything needed to link a new device—typically a desktop or web browser session—to the victim's WhatsApp account. The process, known as 'device linking' or 'WhatsApp Web/Desktop pairing,' is designed for convenience but becomes a critical vulnerability in this scenario.

Once the attacker's device is linked, they gain a mirror image of the victim's WhatsApp session. They can read all current and past conversations (if backups are enabled), access contact lists, and, most critically, they can intercept new incoming messages. This includes any one-time passwords (OTPs) or two-factor authentication codes sent via SMS or within the app itself by banks or other services.

The financial impact is immediate. With control of the WhatsApp account, attackers can target linked payment services like WhatsApp Pay in India or other regional UPI-based systems. They can also use the compromised account to launch secondary attacks, repeating the scam with the victim's entire contact list, thereby creating a self-propagating chain of compromise. The legitimate user is often locked out in seconds, unable to terminate the unauthorized session without regaining control of their phone number through their mobile carrier—a process that can take critical hours.

Technical Analysis & Security Implications

This campaign is significant for several reasons. First, it bypasses end-to-end encryption. WhatsApp's encryption protects message content in transit, but it cannot protect against an attacker who has legitimately linked a device using a stolen code. The authentication mechanism becomes the single point of failure.

Second, it exploits inherent trust in voice communication. A phone call from a known number carries significantly more psychological weight than a suspicious text or email, making the social engineering pretext more convincing.

Third, the attack highlights the risks of converged communications and financial ecosystems. When a single messaging app becomes a primary channel for both personal communication and financial transactions, its compromise has cascading consequences.

Mitigation and Response

CERT-In's advisory emphasizes user vigilance as the first line of defense. The core recommendation is absolute: Never share your WhatsApp registration code (6-digit SMS code) or two-step verification PIN with anyone, for any reason. Legitimate contacts or WhatsApp support will never ask for these codes.

Users should proactively enable WhatsApp's Two-Step Verification feature (found in Settings > Account > Two-step verification). This adds an additional, user-defined PIN that is required when registering a phone number with WhatsApp again. While not foolproof if a user is tricked into revealing this PIN as well, it creates a crucial second barrier.

Regularly monitor active linked devices in WhatsApp Web/Desktop settings (Settings > Linked Devices) and log out from any unfamiliar sessions immediately. Be skeptical of urgent requests for codes, even from known contacts. Verify the request through a secondary channel—a separate call back to the person on a previously known number, or an in-person conversation.

For the cybersecurity community, this campaign is a stark reminder that the human element remains the most exploitable attack surface. Platform designers must continue to evaluate authentication flows, potentially implementing delays or additional confirmations for device linking from new locations. Until then, user education on the critical value of authentication codes is the most effective countermeasure.

The 'Ghost in the Machine' is, ultimately, a ghost in the human decision-making process. Combating it requires reinforcing the simplest security principle: some secrets are not meant to be shared.