Invitation with hacking: scammers began to advertise in the "working version of WhatsApp"

Since the beginning of January, cybercriminals have been actively faking the "working version of WhatsApp" (owned by Meta, which is recognized as extremist and banned in the Russian Federation). The attackers send phishing emails and SMS with links that lead to malicious sites. Their purpose is to gain access to the user's personal or payment information. The number of such attacks in January is in the thousands, cybersecurity experts told Izvestia. They are confident that the scheme will scale, as the messenger may be permanently blocked in 2026, and many of its users do not want to switch to alternatives yet. How not to become a victim of deception — in the material of Izvestia.

How WhatsApp is used for phishing

The attackers began actively faking the "working version of WhatsApp" in order to gain access to users' personal data.

— During the New Year holidays, we recorded the mailing of phishing emails and SMS with an offer to download a "working version" of the messenger. The links sent by the scammers lead to malicious websites, the purpose of which is to gain access to personal or payment information," said Dina Fomicheva, Director of Corporate Sales at Telecom Exchange.

The scheme is designed for people who want to continue communicating in their usual application, and scammers offer them a "convenient" solution — to install the "correct" version of the program, explained Vladimir Ulyanov, head of the analytical center at Zecurion.

According to the research company Mediascope, as of August 2025, WhatsApp was used by about 97 million Russians. According to independent expert Andrey Barkhota, with the help of this particular messenger, users communicated with about 70% of their contacts. Against the background of the threat of losing this opportunity, they download a fake application.

One of the victims, Sergey from Yekaterinburg, told Izvestia about what such a deception scheme looks like.:

— In early January, I received an SMS in my messenger with a suggestion to follow the link to download the updated version of WhatsApp. After clicking on the link, the website did not open directly, but a window simulating a browser. Everything looked as plausible as possible. However, nothing has changed in the messenger itself. I came to my senses and closed all the tabs. Unfortunately, a simple referral to scammers may be enough.

Wallet shield: how the new state system will save Russians from cyber-hackers

Banks, operators and the state unite against fraudsters

The fake website contains a virus, and after launching it on the victim's device, the attacker gains access to the system at the administrator level and intercepts application management, warned Dmitry Livshin, CEO of CYBER Business Consulting. Next, fraudsters monetize their presence through the theft of payment data, explained Alexey Gorelkin, cybersecurity expert at the Stolypin Institute of Growth Economics and CEO of Phishman.

Why scammers have become more active on WhatsApp

In December 2025, the speed of WhatsApp slowed down. Roskomnadzor stressed that they are consistently increasing restrictions on the platform due to non-compliance with the requirements of the legislation of the Russian Federation.

Later, in early January, Andrei Svintsov, deputy chairman of the State Duma for Information Policy, Information Technology and Communications, expressed the opinion that WhatsApp would be permanently blocked by the end of 2026.

Another reason for the popularity of the scheme is that people tend to be relaxed during the New Year holidays. They spend more time on the phone and check the sources of messages less, said Andrey Vishnyakov, founder of the neuro-artel "Useful Figures", an expert on artificial intelligence and digital development. Therefore, any letter stating that the service has "stopped working", "will be disabled" or "needs to be updated urgently" is perceived almost automatically.

Izvestia sent a request to the Interior Ministry regarding the popularity of the new method of fraud.

In the project of the Coordination Center of the .RU/ domains.The Russian Federation's Domain Patrol (which identifies and combats the misuse of domain names on the Runet) received 31 complaints about cyber attacks on WhatsApp in December, and 34 in the first two weeks of January. They clarified: when organizations record phishing or other violations in the zones.RU/.In the Russian Federation, they contact the registrars. Registrars review the received requests and block malicious domains.

However, official statistics do not reflect the full extent of the problem, as users do not report many cases, said Igor Bederov, director of the T.Hunter Investigation Department. In addition, most victims of this scheme do not immediately notice that malware has been downloaded to their device, added Alexandra Pozharskaya, an expert at the Moshelovka platform.

How the dice will fit: Scammers use the Telegram dice game to cheat

Since the beginning of 2026, 800 fraudulent websites for stealing cryptocurrencies have already been recorded.

— Only less than 1% of victims go to the authorities. In Russia, at least 6-7 thousand users have encountered this problem over the past month. The damage is often insignificant for one person, but collectively amounts to millions of rubles," Igor Bederov estimated.

It is important to keep in mind that as the messenger is blocked in Russia, criminals will "move" to more relevant sites, he concluded.

How not to get scammed on WhatsApp

The habit of not trusting messages "out of nowhere" and remembering that working versions of popular services are not distributed via SMS or emails will help reduce the risks of phishing, said Andrey Vishnyakov from Useful Figures. The basic rule is to download applications only from official stores and monitor their access rights, added Lyudmila Bogatyreva, head of the Polylog Agency's IT department, ROCIT expert, author of the Bogatyreva about Digital telegram channel.

In addition, before clicking on any links, you need to check the URL - scammers often use names similar to the official ones, but with barely noticeable differences in characters, recommended Dina Fomicheva from Telecom Exchange.

Do not forget about the classic signs of deception, such as a suspicious sender, errors in the text of the message, inconsistencies between the name of the site and its address, as well as urgency and pressure, summed up Ruben Markarian, deputy president of the Guild of Russian Lawyers, head of the Moscow branch of the International Union of Criminologists and Criminologists.