Tadeáš Hájek
Whalebone Threat Intelligence Analyst
Throughout February 2026, Whalebone Threat Intelligence has been monitoring a widespread phishing campaign targeting WhatsApp users in more than 15 countries world-wide, including Czechia, Serbia, Spain, and Brazil. Since the beginning of the month, Whalebone has identified and blocked over 200 domains associated with the current phishing campaign.
Messaging platforms like WhatsApp are incredibly lucrative for cybercriminals because they rely on immediate, informal, and trusted communication between personal contacts.
The attackers use a previously hijacked account belonging to someone the victim knows and exploit the existing trust to direct victims toward a fraudulent voting website. Under the guise of a simple "authentication" for a contest, the platform attempts to take complete control over the victim’s WhatsApp account.
Stolen accounts are then used for further dissemination of phishing messages to the victim's contact list and to carry out social engineering attacks by requesting short-term loans from the victim's close contacts.
The campaign has gained significant traction across European media in recent weeks. However, this WhatsApp account hijacking method is not a novel development; the underlying infrastructure and methods have been observed in various iterations since early 2025. Throughout the observed instances, technical evidence has indicated that a Russian-speaking threat actor or group is behind this operation.
Messages such as the one below have been shared with the Czech WhatsApp users in the past weeks. All the messages we observed remained consistent, with the only significant variation being the linked URL, in which threat actors rotate across a pool of randomized domains. These domains typically use names loosely associated with dance or ballet, often incorporating spelling errors – likely to evade detection.
Through initial discovery, we identified further dozens of domains sharing similar artifacts, targeting not only Czech WhatsApp users, but also users from at least 13 additional countries.
“Hi! Can you please vote for Alexandra in this poll? She is my friend's daughter.
The main prize is a free scholarship for next year and it's very important for her.
Thanks very much!”
The message arrives from a known contact, which has already been hijacked upstream and requests seemingly benign action – to vote for a specific contestant in a children's dance competition. Its sole purpose is to direct the recipient to the attached link.
The message does not attempt to create any sense of urgency commonly observed in other phishing campaigns, and rather poses as a low-stakes, altruistic favor.
Because the message originates from a hijacked account of someone the recipient knows, it lowers the victim's defenses, bypasses the skepticism usually reserved for unknown senders and exploits the trust within established social circles.
Upon navigating to the malicious link, the victim is directed to a landing page which displays images of two child participants in gymnastic poses; among these, "Alexandra" from the initial WhatsApp phishing message is shown trailing by a narrow margin of votes.
Upon selecting the target "competitor," the victim is prompted by a popup window to log-in in order to “verify” the vote through WhatsApp.
Once the victim inputs their phone number, they are presented with a pairing code and instructed to enter it into the "Linked Devices" section of their WhatsApp settings.
At this stage, the actual hijacking of the WhatsApp account occurs:
This modus operandi points to a clear financial motivation of the threat actors. To remain hidden during the illicit transfer of funds, the attackers typically utilize hijacked bank accounts or a network of local money mules. These intermediaries usually either deliver the cash directly to a courier or launder the stolen funds through gray-market cryptocurrency exchanges. At this point, the stolen funds are lost, and their recovery is typically unsuccessful.
The adversary utilizes randomized domain names associated with dance or competitions, such as denceegimcz[.]life, baletidancecz[.]run, or stardencer[.]fun, often incorporating typographical errors and the specific country code of the targeted region.
No discernible pattern in the domain naming conventions has been observed. The domains are registered through multiple registrars and the entire operational infrastructure is masked behind Cloudflare proxy services to obfuscate the true origin of the servers. The lack of automated behaviour suggests a human-operated, lower-scale campaign.
The website visual appearance remains consistent across all observed domains and targeted geographical regions. The core design and the bait methodology have not significantly evolved from iterations observed throughout 2025; the primary variations are limited to localized names, such as "Alexandra" and “Daniela” in the Czech variant, and in some instances replaced “competitors’” photos.
As of end of February 2026, at least 15 localized variations of the scam have been identified, including Czechia, Slovakia, Slovenia, Serbia, Romania, Bulgaria, Poland, and Croatia, as well as Western European and international targets like Spain, Italy, Greece, Brazil, Mexico, or Ireland. Based on the volume of unique domains allocated to each region, the threat actors appear to be prioritizing European countries for this campaign.
Relative unsophistication of the campaign allowed us to observe the client-side infrastructure of the attacker’s system. The campaign relies on a communication channel established via a customized Socket.IO framework, orchestrated by a specialized JavaScript file internally named number.js.
The client-side script initializes a connection to a Cloudflare-masked command and control (C2) server. Once the victim submits their phone number, a server-side request to WhatsApp’s official pairing service is triggered, which is then sent back to the victim’s browser to display the 6-digit linking code.
Once the hijack is complete, the attacker’s C2 server redirects the victim back to the main site with a popup message confirming that their vote was successfully counted.
Interestingly, the custom javascript incorporates what appears to be an anti-analysis measure labeled as the "surprise" function. This mechanism is presumably triggered by the C2 server upon detecting forensic activity or an unauthorized session. When executed, it spawns an array of 1,000 Web Workers that run computationally intensive infinite loops involving complex trigonometric and algebraic operations. This rapid consumption of CPU resources results in a denial-of-service state on the analyst's machine and freezes the browser environment.
Finally, the infrastructure exhibits specific artifacts that facilitate the attribution of the threat actor’s origin. Multiple analyzed index.html files contain the <html lang="ru"> tag, suggesting the use of a Russian-language development environment or a phishing kit developed by Russian-speaking authors. This, combined with a predominant operational focus on Central and Southern European WhatsApp users, indicates a likely Russian-speaking threat actor or group.
Based on these observed artifacts, Whalebone Threat Intelligence pivoted to identify a significant volume of malicious websites exhibiting identical patterns. As of late February 2026, we have intercepted and blocked over two hundred malicious domains associated with this campaign, neutralizing the infrastructure before further account hijacking could be executed.
Because WhatsApp is end-to-end encrypted, no security provider can read or block the initial text message before it reaches your phone. However, Whalebone neutralizes the attack at the network level. If a user clicks on the malicious link, Whalebone’s DNS protection immediately intercepts the request and blocks access to the attacker's website. The threat is stopped before the phishing page can even load, keeping the user's account entirely safe.
Across the networks we protect, more than 30B threats were blocked last year. The way these threats evolved shows how quickly attackers are adapting.
Learn what shaped the cybersecurity landscape in 2025 and what lies ahead. Get a copy of our latest threat report.