In our line of work as human rights defenders, secure communication is not just a convenience, it is a necessity. For many of us, WhatsApp and Telegram are lifelines for organizing, documenting, and protecting those at risk. However, as our reliance on these platforms grows, so does the sophistication of those who seek to silence us.
At DPI, we have observed a sharp rise in account hijacking that doesn’t rely on complex hacking, but on social engineering. Attackers are now tricking users into “inviting” them into their accounts through legitimate features like device linking and mini-apps.
How the Attacks Work: Exploiting Trust
1. WhatsApp: The “GhostPairing” Trap
The most prevalent new threat is called “GhostPairing.” It exploits WhatsApp’s “Linked Devices” feature, which usually allows you to use WhatsApp on your computer.
- The Bait: You receive a message from a trusted contact (whose account is already compromised) saying something like, “Is this you in this photo?” with a link.
- The Trick: Clicking the link takes you to a fake page that looks like Facebook or a photo viewer. It asks for your phone number to “verify” you.
- The Hijack: The attacker uses your number to request an official WhatsApp pairing code. They then display this code on the fake website and ask you to enter it into your WhatsApp app. Once you do, you have unknowingly authorized the attacker’s browser as a “linked device.” They now have full access to your chats and media in real-time while your phone continues to work normally.
2. Telegram: The “Mini-App” Phishing Lure
Telegram’s “Mini Apps” programs that run directly inside the chat interface are being abused because they lack a strict vetting process.
- The Bait: You might see an “airdrop” or a “gift” offer from what appears to be a legitimate channel or celebrity.
- The Trick: When you open the Mini App, it looks official because it’s inside the Telegram interface. It prompts you to “log in” by entering your phone number and 2FA code directly within the app.
- The Hijack: Since the app is malicious, the attacker captures your credentials immediately. Because these apps don’t open in an external browser, users are often less suspicious, assuming Telegram has “verified” the app.
The Remedies: Hardening Your Digital Defense
To protect your work and your network, we recommend implementing these immediate security measures:
- Audit Your Sessions Regularly: This is your first line of defense.
- WhatsApp: Go to
Settings > Linked Devices. If you see a device or browser you don’t recognize (e.g., “Google Chrome on Windows” when you only use a Mac), log it out immediately. - Telegram: Go to
Settings > Devices. Terminate any sessions that aren’t yours. Use the “Automatically terminate old sessions” setting for added safety.
- WhatsApp: Go to
- Enable Two-Step Verification (2SV): Set a custom PIN that must be entered when registering your number on a new device. This prevents attackers from taking full control even if they have your SMS code.
- Trust the Platform, Not the Link: Official platforms will never ask you to enter a pairing code or OTP into an external website or a third-party Mini App.
- Verify Offline: If a colleague or contact sends an urgent or strange link, call them on a traditional phone line to confirm they actually sent it before clicking.
- Use Passkeys: Where available, set up Passkeys (biometric login) which are significantly more resistant to phishing than SMS codes.
The digital space is a critical arena for human rights work. By staying vigilant and securing our accounts, we ensure that our voices remain loud and our data remains safe. If you suspect your account has been compromised or need further training, reach out to us at Defenders Protection Initiative.