🚨 WhatsApp Number Hijack Scam: Hackers Clone Your Number and Empty Your Bank Account — IT’S INSANE

If you've ever gotten a text from your own number asking for a quick bank transfer, you're not imagining things. THIS IS A WARNING! A recent WhatsApp number hijack scam 2026 report from LinkedIn analyst Antonio De Bortoli shows how cybercriminals are exploiting the trust people place in their own phone number. The scheme is especially dangerous because it bypasses the usual red flags that protect users from phishing attacks.

The scheme doesn't require malicious links, stolen verification codes, or malware installation; instead, attackers simply use the victim's number to send convincing messages that appear to come straight from the user's own device. This stealthy approach leaves few digital crumbs for victims to detect.

"Non ho cliccato nulla", è la frase che torna in casi del genere.

Because the messages originate from a familiar number, friends and family often assume the request is genuine, making the scam highly effective.

🚨 Red Flag: Messages Sent From Your Own Number

The first warning sign is a sudden flood of texts sent from the victim's own WhatsApp number to recent contacts or anyone in the address book.

These messages are short, direct, and often ask for money: "Posso avere un bonifico istantaneo, ti rimando tutto dopo."

Unlike fake profiles that use copied photos, the messages come from the original number, making them appear legitimate to friends, family, and colleagues.

The most common script involves an instant transfer request, a tactic that's proven effective because the victim sees the request as coming from someone they know.

The psychological tactic relies on familiarity; when the message comes from a number you've known for years, the brain shortcuts past scrutiny and accepts the request at face value.

In many cases, the victim only discovers the fraud after the money has already been transferred, because the instant transfer cannot be reversed once the bank confirms the transaction.

🔄 The Device Switch Trick: How Hackers Flip Between Phones

De Bortoli says the compromise isn't a classic WhatsApp Web takeover or a stolen account obtained via SMS verification codes.

Instead, investigators suspect a rapid "device switch," where the attacker alternates between the victim's primary phone and a secondary device they control.

Imagine you have two phones: your personal phone (Phone A) and a hacker's phone (Phone B).

Normally, WhatsApp registers your number on Phone A, so all messages flow there.

If a hacker manages to register the same number on Phone B — often by using a stolen SIM or by convincing the carrier to port the number — both phones think they're the rightful owner.

The app then "flips" the active session between the two devices, so one moment you see messages on Phone A, the next they appear on Phone B.

Because the victim's phone still shows the app as "online," friends assume nothing is wrong until a contact calls asking why you asked for money. THIS IS DANGEROUS!

The secondary device can be any smartphone, tablet, or even a computer that has WhatsApp installed and where the attacker has access to the victim's phone number.

Because WhatsApp stores authentication tokens locally, once the attacker registers the number on the new device, the app can seamlessly take over the active session without requiring the victim to log out or re‑enter a code.

🛠️ Grandma‑Friendly Tech Breakdown: How the Device Switch Works

Think of your WhatsApp account as a telephone line that can be plugged into either Phone A or Phone B.

When the line is connected to Phone A, you hear the conversation; when someone unplugs it and plugs it into Phone B, the call continues on the new device.

The attacker's job is to "unplug" the line from your phone and "plug" it into theirs, all while the app still thinks you're still logged in.

Because the switch is invisible to you, the only clue is a sudden surge of messages that look like they came from you.

🔧 Simple Analogy: The “Switch‑eroo” Explained

Picture a phone call that's routed through a single cable.

If the cable is moved from your handset to a hacker's handset, the call continues on the new device.

WhatsApp works the same way; the authentication token stays valid on both devices, so the app doesn't warn you that the session has moved.

Think of it like a shared key that works on two doors; once the key is copied, both doors open without you noticing.

💸 Common Elements: Instant Transfers, VPNs, and Bots

Across the reported cases, a few recurring elements show up again and again.

The most frequent request is for an instant bank transfer, phrased as "Puoi farmi un bonifico? Ti spiego dopo."

Instant transfers are favored because once the money is moved, it's far harder to reverse compared to a regular bank transfer.

To hide their location, the fraudsters route the messages through VPNs located in places such as Hong Kong, making detection tougher for security teams.

Automated bots are used to blast the same script to dozens of contacts within minutes, increasing the odds that at least one person will fall for the request.

The use of VPNs is not random; attackers often choose servers in jurisdictions with lax data regulations, allowing them to hide traffic patterns from network monitoring tools.

Bots can be programmed to send messages at intervals that mimic normal conversation timing, further reducing the chance that a recipient will suspect a scam.

📱 Who’s Affected? iPhone Users and the iOS 16 Factor

Some reports specifically mention iPhones running iOS 16, but there's no concrete evidence linking this version to the hijack.

The data so far is anecdotal; it could be a coincidence, a lack of updates, or simply a subset of devices that haven't been patched.

Without official technical proof, any claim about a specific OS vulnerability remains speculative, and we should treat it with caution.

Since iOS 16 is still the version running on a large installed base of iPhones, the scam can affect a broad audience, especially users who have not updated to the latest iOS release.

🛡️ Immediate Steps: Updates, Linked Devices, and 2FA

First and foremost, keep WhatsApp, iOS, and Android apps up to date — security patches often arrive with routine updates.

Next, open WhatsApp's "Linked Devices" settings and scan for any unfamiliar device; disconnect it instantly.

Experts also recommend enabling WhatsApp's two‑step verification, choosing a PIN that's different from any other password you use.

While 2FA isn't a silver bullet, it adds a solid barrier that blocks many account‑takeover attempts, especially when paired with vigilant device management.

Disabling unknown devices is as simple as tapping the 'X' next to the unfamiliar entry; the action takes less than a second but can cut off the attacker's access instantly.

Choosing a two‑step verification PIN that is unrelated to any other passwords you use dramatically reduces the chance that an attacker who obtains one code can leverage it elsewhere.

🛠️ Grandma‑Friendly Tech Breakdown (continued)

Think of your WhatsApp account as a telephone line that can be plugged into either Phone A or Phone B.

When the line is connected to Phone A, you hear the conversation; when someone unplugs it and plugs it into Phone B, the call continues on the new device.

The attacker's job is to "unplug" the line from your phone and "plug" it into theirs, all while the app still thinks you're still logged in.

Because the switch is invisible to you, the only clue is a sudden surge of messages that look like they came from you.

The token that authenticates a WhatsApp session is essentially a secret key that proves the device is authorized to use the number. When a new device registers, it requests this token, and if the attacker has already captured it, the takeover is instantaneous.

This is why the victim may see no logout notification; the app thinks the session is still active on the original device, while the attacker silently operates on the new one.

Picture a phone call that's routed through a single cable. If the cable is moved from your handset to a hacker's handset, the call continues on the new device.

WhatsApp works the same way; the authentication token stays valid on both devices, so the app doesn't warn you that the session has moved.

Think of it like a shared key that works on two doors; once the key is copied, both doors open without you noticing.

🔎 How the Attack Propagates: The Role of SIM Swapping

One common pathway for the device switch is a SIM‑swap attack, where the attacker convinces the mobile carrier to port the victim's number to a SIM card they control.

Once the number is under the attacker's control, they can register WhatsApp on a new device, effectively taking over the account without ever touching the victim's phone.

Because the carrier's verification process can be weak, the victim may never notice that their number has been moved until strange messages start appearing.

This step explains why the scam can bypass two‑factor authentication, which relies on a code sent to the registered phone number; if the number itself is compromised, the code is useless.

📊 Statistics & Impact (No Official Numbers Yet)

The article notes that reports of the WhatsApp number hijack scam 2026 are rising, but no official statistics have been released by Meta or any law‑enforcement agency.

Because the attack leaves little forensic evidence, victims often discover the breach only after a friend or family member questions a money request.

That delayed awareness can turn a modest request for a few hundred euros into a substantial financial loss, especially when instant transfers are used.

Security analysts warn that the lack of public data makes it hard to gauge the true scale, but the trend is clear: cybercriminals are looking for ways to hijack the trust people place in their own phone number.

🔐 What Meta Is Doing (or Not Doing)

Meta has not released a dedicated communication about this specific type of hijack, and there are no public statements linking it to a structural flaw in WhatsApp or the underlying operating system.

Without an official advisory, users must rely on community reports and the advice of security researchers like Antonio De Bortoli to stay protected.

For now, the best defense remains diligent app updates, careful device management, and enabling two‑step verification.

🚀 Quick‑Fire Defense: 5 Funny‑But‑Useful Moves to Keep Scammers Out

Here are five fast, funny‑but‑useful actions you can take right now to block scammers before they strike.

• 🔒 Enable two‑step verification and set a PIN that's not used anywhere else.
• 📱 Regularly audit "Linked Devices" in WhatsApp and kick out any unknown device.
• 📲 Keep your OS and app updates current; a simple patch can close known vulnerabilities.
• 🚨 If you receive a money request from your own number, call the contact directly before sending anything.
• 🛡️ Never share SMS or push‑notification verification codes, even if the request looks legit.

🔍 Deep Dive: How 2FA Can Be Circumvented

Even though two‑step verification adds a layer of protection, the device‑switch technique can bypass it because the attacker controls the phone number that receives the verification code.

If the attacker has already ported the number to a SIM they control, the SMS code is delivered to their device, making the 2FA step useless.

Moreover, some victims reported that the attacker used WhatsApp's "login via phone number" feature after the number was hijacked, effectively resetting the session without needing the code.

These nuances show why relying solely on 2FA is insufficient; a layered approach is essential.

Even though SMS codes are the most common 2FA method, they can be vulnerable to interception.

In addition to SMS codes, some attackers use SS7 interceptors or voice‑based verification calls to capture the code, especially when the victim's number is already under their control.

Therefore, security experts recommend using app‑based two‑factor authentication (such as Google Authenticator) when possible, because it generates codes locally on the device and cannot be intercepted by network‑level attacks.

📞 Real‑World Victim Experience (Based on Reported Cases)

Many victims describe the moment they realized something was wrong when a close friend called, upset because they had just asked for a money transfer.

The friend's confusion often stems from receiving a message that looks exactly like a normal request from the victim, complete with the victim's own name and profile picture.

In several cases, the victim discovered the hijack only after checking the "Linked Devices" list and seeing an unfamiliar device active.

The emotional impact ranges from embarrassment to financial stress, especially when the requested amount is large.

One common pattern is that the victim receives a message that looks exactly like a normal request from a family member, asking for a quick loan or emergency cash, and the victim, trusting the familiar name, sends the money without a second thought.

After the transfer, the victim often feels embarrassed to admit they were duped, which can delay reporting and make recovery more difficult.

🛠️ What To Do If You’re Already Compromised

First, immediately log out of all devices by revoking access in the Linked Devices settings.

Next, change your WhatsApp PIN and enable two‑step verification with a new PIN that differs from any previous one.

Then, contact your bank to dispute the unauthorized transfer and request a reversal if possible.

Finally, file a report with the Polizia postale and consider freezing your SIM card to prevent further SIM‑swap attempts.

First, log out of all devices by revoking access in the Linked Devices settings.

Next, change your WhatsApp PIN and enable two‑step verification with a new PIN that differs from any previous one.

Then, contact your bank to dispute the unauthorized transfer and request a reversal if possible.

Finally, file a report with the Polizia postale and consider freezing your SIM card to prevent further SIM‑swap attempts.

The Bottom Line

In short, the WhatsApp number hijack scam 2026 is a stealthy, device‑switching attack that can empty your bank account before you even realize you've been compromised.

Stay vigilant, update your apps, lock down linked devices, and enable two‑step verification — because the difference between a harmless chat and a financial loss can be a single click.

Share this warning, drop a comment with your experience, and most importantly, enable 2FA right now before the next message lands in your inbox. STAY ALERT! 🔥 Stay safe, stay savvy!