Since mid-January 2026, a broad campaign of attacks targeting thousands of Armenian WhatsApp users has been observed. CyberHUB-AM’s digital support helpdesk received upwords of 2 thousand reports related to account takeovers. Per our estimations, at least 4000 accounts have been hacked.
What Happened
Attackers gained control of some users’ WhatsApp accounts and used those compromised accounts to create WhatsApp Business profiles. These illicit business profiles were then used to send large volumes of spam messages, after which WhatsApp’s security systems frequently blocked the accounts.
What Wasn’t Compromised
According to our observations of the hacked accounts, the attackers did not access users’ prior message history, sent files, or call logs.
Attack Mechanism (Preliminary Assessment)
Our investigation indicates that vulnerabilities in the SMS delivery chain were exploited, allowing the interception of registration and two-step verification codes.
On January 20, the Republic of Armenia’s Cyber Police issued a statement on this topic. It reads, in part: “Technically speaking, criminals are able to target the SS7 protocol of mobile networks (in simple terms, the ‘postal system’ that operates between mobile operators) and capture SMS messages sent by international mobile operators.”
Clarification: SS7 is a signaling protocol used between mobile operators to exchange technical information and ensure proper routing of calls and SMS messages.
The CyberHUB-AM team notified WhatsApp’s parent company Meta about the attacks from the very first day. Through a Meta representative, we were able to help restore hundreds of user accounts. CyberHUB also regularly published explanatory videos, which enabled hundreds more people to independently recover their accounts and protect themselves from further attacks.
Reports on our support platform have almost stopped since February 2. According to our information, Meta and the SMS provider implemented additional protective measures, which resulted in halting the attack.
Before account takeovers ceased, we again confirmed that users who had enabled two-step verification in WhatsApp were able to restore their accounts much more easily. Attackers could not create business accounts or send mass spam on their behalf, which ultimately prevented their accounts from being blocked. Accordingly, we strongly urge users to enable this feature.
How to Enable Two-Step Verification
-
Open WhatsApp and go to Settings
-
Select the Account section
-
Tap Two-step verification
-
Tap Turn on and set a 6-digit PIN (be sure to remember it)
-
Add your email address so you can recover the code if you forget it