惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

P
Privacy International News Feed
I
Intezer
T
Tenable Blog
S
Schneier on Security
Project Zero
Project Zero
G
GRAHAM CLULEY
酷 壳 – CoolShell
酷 壳 – CoolShell
小众软件
小众软件
Know Your Adversary
Know Your Adversary
博客园 - 司徒正美
The Cloudflare Blog
Recent Commits to openclaw:main
Recent Commits to openclaw:main
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
N
News and Events Feed by Topic
博客园 - 叶小钗
宝玉的分享
宝玉的分享
L
LINUX DO - 热门话题
aimingoo的专栏
aimingoo的专栏
S
Secure Thoughts
Forbes - Security
Forbes - Security
T
The Exploit Database - CXSecurity.com
D
Darknet – Hacking Tools, Hacker News & Cyber Security
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
博客园 - 【当耐特】
罗磊的独立博客
IT之家
IT之家
H
Hacker News: Front Page
I
InfoQ
云风的 BLOG
云风的 BLOG
S
Security Affairs
M
MIT News - Artificial intelligence
GbyAI
GbyAI
Jina AI
Jina AI
Help Net Security
Help Net Security
Engineering at Meta
Engineering at Meta
大猫的无限游戏
大猫的无限游戏
Webroot Blog
Webroot Blog
L
Lohrmann on Cybersecurity
A
About on SuperTechFans
Attack and Defense Labs
Attack and Defense Labs
The Register - Security
The Register - Security
V
V2EX
G
Google Developers Blog
D
DataBreaches.Net
Apple Machine Learning Research
Apple Machine Learning Research
C
Cybersecurity and Infrastructure Security Agency CISA
J
Java Code Geeks
W
WeLiveSecurity
Cloudbric
Cloudbric
T
Tor Project blog

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
How WhatsApp Accounts Really Get "Hacked" (and How to Lock Yours Down)
Mungai M. · 2026-06-24 · via DEV Community

Quick question before you read on. If someone took over your WhatsApp right now, who would they hit first? Your family group? Your clients? The estate WhatsApp where everyone trusts your name? Sit with that for a second, because that is the whole game. Losing the app is annoying. Losing the trust attached to your name is the part that costs people money.

In Kenya this usually looks like a panicked "nisaidie na fare" message, a fake M-PESA reversal, a too-good job link, or a sudden text asking you to read back a six-digit code. The wrapping changes from country to country, but the trick underneath is the same everywhere: someone wants your number, your account, or your contacts' trust.

Here is the part most people get wrong. They picture a hacker in a hoodie tearing through encryption. That is almost never what happens. WhatsApp's end-to-end encryption is genuinely hard to break, and the people coming after your account are not trying to break it. They are trying to get you to hand over the keys.

What "hacking" actually means here

The word people are reaching for is account takeover. Someone registers your phone number on their own phone, and from that moment they are you, as far as your contacts can tell.

Think of it like a thief who never touches the padlock on your gate. He just shows up in a delivery uniform, looks like he belongs, and you open the gate yourself. Once he is in, he can message your contacts for money, drop scam links in your groups, sit in your private chats pretending to be you, and use your name to go find the next victim.

So the honest framing is not "my app got hacked." It is "my access got stolen, and usually I helped without realising it."

The ways they get in

Method What it looks like What they're after
OTP / code theft A six-digit code arrives, then someone asks you to share it To register your WhatsApp on their phone
Phishing links A link about free data, a refund, a job, a prize, a "blocked account" Your passwords, your details, or a malware install
Malware An unofficial app or a permission you should not have granted Quietly reading your SMS codes and watching your activity
SIM swap Your line suddenly drops to "Emergency calls only" for hours Your number itself, so every code and alert comes to them
Voicemail abuse A login attempt overnight while you sleep Your code, left as a voicemail behind a default PIN
Linked-device abuse A strange computer shows up under Linked Devices A few seconds with your unlocked phone to mirror your chats

How these play out in real life

"I sent you a code by mistake"

This one works on good people, which is exactly why it spreads. You get a six-digit WhatsApp code you never asked for. Seconds later a "friend" (whose account was already stolen) or someone claiming to be Customer Care messages you: so sorry, I sent my code to your number by accident, can you read it back?

Share it and you have just handed over your account.

It works because they manufacture urgency. You are trying to be helpful, or you do not want to keep an authority figure waiting, and they are counting on you reacting before you think. The rule that beats it is short: if you did not request a code, you never share it. Not with a friend, not with a relative, not with anyone wearing a Customer Care voice.

The link that promises something

Scam links lead with things people want or fear: free bundles, a KRA refund, a job opening, a delivery problem, a prize, an account "about to be suspended." The page is built to look like the real brand, sometimes pixel for pixel. The goal is always one of three things: get you to type a password, hand over personal details, or install something nasty.

The tell is the rush. A real bank or government service is not going to threaten you into clicking inside the next two minutes.

The sudden network blackout (SIM swap)

A SIM swap is when someone talks a mobile provider into moving your number onto a SIM card they control. The first sign on your end is your phone going dead quiet. Full signal one minute, "Emergency calls only" the next, in a place where coverage is normally fine. Meanwhile every call, code, and banking alert meant for you is landing on their phone.

This is the scary one, because your number sits at the centre of everything: WhatsApp, M-PESA, mobile banking, account recovery. They usually gather your ID details first (sometimes from social media, sometimes by calling and pretending to "update your records") and then convince an agent the SIM was lost.

The midnight code grab (voicemail)

This sounds old-school, and it still works. The attacker tries to log in late at night. WhatsApp sends the SMS code, you are asleep, nothing happens. So they tap "Call me instead." Your phone rings, goes unanswered, and the automated voice reads the code straight into your voicemail. If your voicemail PIN is still the factory default, they simply dial in remotely and listen to it.

Plenty of people lock their screen and never once think about their voicemail. Attackers know that.

The office snooper (linked devices)

Sometimes there is no remote trickery at all. You leave your phone unlocked on the desk while you grab lunch. It takes about five seconds for someone to open WhatsApp, hit Linked Devices, and scan a QR code onto their own laptop. Now your chats mirror to their screen and they can message as you. The giveaway is a device you do not recognise sitting in your Linked Devices list.

Warning signs worth stopping for

Most of these attacks announce themselves if you are paying attention:

  • A verification code shows up when you were not logging in anywhere.
  • Someone is suddenly very keen for you to read back a six-digit number.
  • Your phone loses signal for an unusually long stretch with no explanation.
  • There is a browser or computer in Linked Devices that you never set up.
  • A friend asks why you sent them a weird message you never sent.
  • Your battery is draining fast, the phone runs hot, or apps you do not remember installing have appeared.

One of these is enough reason to stop and check. You do not need a full set.

How to actually protect yourself

None of this requires you to be technical. It is a handful of habits.

Turn on Two-Step Verification

If you do one thing from this whole article, do this. It adds a custom PIN that WhatsApp asks for whenever your number is registered on a new device. So even if a scammer cons you out of the SMS code, that PIN still stands between them and your account.

WhatsApp > Settings > Account > Two-step verification > Turn on

Pick a PIN you will remember, and add a recovery email you actually check. The email is your way back in if you ever forget the PIN.

Treat the code as private, full stop

No real support team, telco, friend, or relative needs your six-digit code, your PIN, or your password. Not Safaricom, not WhatsApp, not your cousin. If a request for a code reaches you, the answer is no, regardless of who it appears to come from.

Check your linked devices

WhatsApp > Settings > Linked Devices

Anything you do not recognise, a browser, a computer, an open session, tap it and log it out. Make this a once-in-a-while habit, not a one-time thing.

Slow down before you tap a link

Scammers win on speed. Before you click, run four quick checks:

  • Was I actually expecting this message?
  • Does this sender make sense?
  • Does the link look right, or is it a near-miss spelling of a real site?
  • Am I being pushed to act right now?

A few seconds of doubt kills most of these.

Lock down the phone itself

Your WhatsApp is only as safe as the phone behind it. Use a strong screen lock, keep the software updated, skip unofficial app stores, be stingy with permissions (an SMS app does not need to read your messages), and turn on a biometric app lock if your phone supports it.

For Kenyan readers: protect the line, not just the app

Your phone number is the master key here, so it deserves its own protection. These steps are Safaricom-heavy because of market share, but Airtel and Telkom have equivalents.

Lock your SIM against swaps. On Safaricom, dial *100*100# to whitelist your line. Once it is on, your SIM can only be replaced in person at a Safaricom shop with your ID, not by some agent in a back room. If anyone then tries to register a new line on your details, you get an SMS asking you to confirm or reject it.

Audit what is registered to your ID. Dial *106# (this one works on Safaricom, Airtel, and Telkom). It lists every number tied to your national ID. If a ghost number you do not recognise shows up, report it from that same menu, or visit a shop to deregister it. Criminals love registering lines on stolen IDs, and this is how you catch it early.

Deal with your voicemail. If you do not use it, ask your provider to switch it off. If you do, change the PIN away from the default. That closes the midnight-code-grab route entirely.

Know who really calls you. Safaricom's customer care line is 0722 000 000. If a call comes from some random personal number claiming to be "Safaricom Care," asking you to read a code or press a sudden USSD prompt, hang up. No legitimate agent does that.

Report the fakes. Forward scam SMS to 333 so Safaricom can act on it. For anything more serious, the DCI runs an anonymous WhatsApp line at 0709 570 000 and a toll-free hotline at 0800 722 203.

Verify M-PESA emergencies independently. The "I sent you money by mistake, please send it back" routine is a classic. Scammers fake an M-PESA receipt SMS that looks completely real. Before you move a shilling, check your actual balance with *334# or the M-PESA app, and tell the other person to request an official reversal through Safaricom.

If you run groups, you're a target

Admins of big family, estate, church, school, SACCO, or chama groups get hit more than they expect, because a busy group full of trusting people is a goldmine. Tighten a few settings and you cut off most of it:

  1. Approve new members. Turn on participant approval so nobody slides in unnoticed.
  2. Restrict edits to admins. Scammers love renaming a group to something like "Bitcoin Investments KE" to lend a scam credibility. Lock the name, photo, and description to admins.
  3. Use admin review. Where available, this lets members flag a suspicious message to you, so you can delete it for everyone and remove the poster.
  4. Control who can add you. Settings > Privacy > Groups, switch from "Everyone" to "My contacts." That stops strangers from dragging you into random crypto-scam groups.

If it has already happened

Move fast. Speed is most of the battle.

  1. Open WhatsApp and register your number again with a fresh SMS code. The moment you enter that new code, the attacker's session is kicked out.
  2. Go to Linked Devices and log out anything you do not recognise.
  3. Tell your close contacts, by normal call or SMS, that your account was compromised and to ignore any money requests. This is what stops the scam from spreading to people who trust you.
  4. Check your voicemail PIN and your SIM status while you are at it.

If the attacker managed to set their own Two-Step Verification PIN, full recovery can take up to seven days. Annoying, yes, but re-registering still locks them out of the live session immediately, so do it anyway.

A few questions people always ask

Can I get hacked just by opening a message or answering a call?
No. Reading a text or picking up a call does not, by itself, compromise your phone. The scam needs you to do something: read out a code, tap a malicious link, or enter your PIN somewhere. That is also the good news, because it means you are the deciding factor.

I clicked a dodgy link. Now what?
Get off the internet (toggle airplane mode), and do not type any password into whatever page opened. Run a security scan, then keep an eye on your email and social accounts for strange login attempts. If you entered anything sensitive, change that password right away from a device you trust.

Someone says they sent me money by mistake and is begging me to send it back.
This is the fake-reversal scam almost every time. Do not send anything. Check your real M-PESA balance with *334# or the app, and tell them to request an official reversal through Safaricom. A genuine misdirected payment gets fixed through the network, not through you.

Does changing my number make me safer?
Not on its own. Your security lives in your habits, not your digits. If you do change numbers, use the in-app Change Number feature so the account migrates cleanly, and set up a fresh Two-Step Verification PIN on the new one.

Do this today, not tomorrow

Pick up your phone and knock these out now:

  • Turn on Two-Step Verification and add a recovery email.
  • Open Linked Devices and log out anything unfamiliar.
  • Decide, right now, that you will never share a six-digit code with anyone.
  • Dial *106# and check for ghost numbers on your ID.
  • On Safaricom, dial *100*100# to lock your SIM against swaps.
  • Change or kill your voicemail PIN.
  • Tell the people most likely to get caught (older relatives, younger users) that urgent WhatsApp money requests always get verified by a phone call first.

Staying safe on WhatsApp was never really a technical skill. It comes down to a short list: protect the number, guard the code, secure the phone, and slow down when something feels urgent. Attackers go for the easiest target in the room, not the smartest one. Twenty minutes of setup is usually all it takes to stop being that target.

Stay sharp, and keep your digital gate locked.