How to Recover a Hacked WhatsApp Account: Step-by-Step Guide
If your WhatsApp account was taken over, you can usually get it back in minutes by re-registering your number. This calm, step-by-step guide walks you through recovery, locking attackers out, and reporting.
Losing access to WhatsApp is frightening, especially when an attacker is messaging your family and friends from your number. Take a breath: in most cases you can recover your account in just a few minutes, because WhatsApp ties the account to your phone number, not to the attacker's device. This guide explains how takeovers happen, how to tell if you have been hacked, the exact steps to get back in and lock the intruder out, and how to report what happened.
- Open WhatsApp, enter your number, and re-register with the 6-digit SMS code. This instantly logs the attacker out.
- Never share that 6-digit code with anyone, no matter who they claim to be.
- If a two-step verification PIN blocks you and you set an email, tap Forgot PIN; otherwise you may wait 7 days.
- After you are back in, turn on two-step verification and remove any unknown linked devices.
- Tell your contacts not to send money or codes, then report to your local cybercrime helpline (in India, call 1930).
How WhatsApp takeovers happen
Almost every WhatsApp hack comes down to one thing: the attacker getting your 6-digit registration code. The most common methods are:
- Registration-code (OTP) theft. A scammer messages you, often pretending to be a friend or WhatsApp support, and says they accidentally sent a code to your number and need it back. The code is actually your own login code. If you forward it, they register your number on their phone.
- SIM swap. A criminal convinces your mobile carrier to move your number to their SIM card. The registration SMS then arrives on their device instead of yours.
- WhatsApp Web hijack. Someone with brief physical access to your unlocked phone scans a linked-device QR code, giving them a live mirror of your chats without taking over the main account.
How to know you are hacked
- You are suddenly logged out and see a message that your number is registered on another device.
- Contacts tell you they received strange messages, money requests, or code requests from you.
- You see messages marked as read that you never opened, or chats you did not send.
- In Settings, Linked Devices, you spot a session you do not recognise.
Step-by-step recovery
The core fix is simple: re-register your number on your own phone. The moment you enter the correct 6-digit code, WhatsApp logs out whoever else is signed in with your number.
- Open WhatsApp on your phone and enter your full phone number with the country code.
- Request the verification code by SMS. WhatsApp sends a 6-digit code to your number by text message.
- Enter the 6-digit code. This verifies it is really you and immediately signs the attacker out of your account.
- If asked for a two-step verification PIN you did not set, the attacker may have added one. If you registered an email for two-step verification, tap Forgot PIN and follow the email link to reset it. If no email is on file, WhatsApp makes you wait 7 days from your account's last activity before you can reset the PIN and sign in. This wait is a safety feature and cannot be skipped.
- Once you are back in, move straight to the security steps below before doing anything else.
Turn on two-step verification
Two-step verification adds a 6-digit PIN that is required whenever your number is registered with WhatsApp again. This is the single best defence against a repeat takeover, because even an attacker who steals your SMS code cannot finish without your PIN.
- Open Settings, then Account, then Two-step verification.
- Tap Turn on and choose a 6-digit PIN you will remember but others cannot guess (avoid birthdays).
- Add an email address when prompted. This lets you reset the PIN quickly if you ever forget it, and avoids the 7-day wait.
Check and remove linked devices
Re-registering ends the attacker's main session, but you should still clear any WhatsApp Web or linked-device sessions in case one was set up.
- Open Settings, then Linked Devices.
- Review the list. Each entry shows a device type and last activity.
- Tap any device you do not recognise, then tap Log out. When in doubt, log out of everything and re-link only the devices you actually use.
Warn your contacts
Attackers who control your account almost always run follow-on scams while they have it, and sometimes even after you recover it. Once you are back in, post a quick note to your status and message close contacts and groups:
- Tell them your account was hacked and to ignore any recent messages from you, especially requests for money, gift cards, or codes.
- Remind them that a request to share a 6-digit code is always a scam, even if it appears to come from you.
- Ask anyone who already sent money to stop and report it immediately.
If you cannot get the SMS code
If the verification SMS never arrives, your number may have been SIM-swapped, meaning it has been moved to an attacker's SIM. In that case:
- Contact your mobile carrier at once and tell them you suspect a SIM swap. Ask them to disable the rogue SIM and restore the number to your own SIM.
- Check whether you can still make calls or texts at all. A dead SIM is a strong sign of a swap.
- Once your number is restored to your phone, return to the recovery steps above and re-register.
- If your phone or SIM was lost or stolen, you can email WhatsApp to deactivate the account so no one can use it. Send a message to [email protected] with the words Lost/Stolen: Please deactivate my account in the body, and include your full phone number in international format.
Reporting and getting help
- Report inside WhatsApp via Settings, Help, Contact us, or email [email protected] with details of what happened.
- Report to your national cybercrime authority. In India, call the cybercrime helpline 1930 or file a report at cybercrime.gov.in, especially if money was lost. Most countries have an equivalent fraud or cybercrime reporting line.
- If money was sent from any linked payment app or to a scammer, contact your bank straight away to try to freeze or reverse the transfer.
Frequently asked questions
Will re-registering really kick the hacker out? Yes. WhatsApp allows a number to be active on only one main phone at a time, so when you verify with the new 6-digit code, the attacker's session ends immediately.
Can the hacker read my old messages? Your chats are end-to-end encrypted and stored on devices, not WhatsApp's servers. An attacker sees messages that arrive while they are logged in, but they cannot pull your full history unless they also restored your backup. Change your account password and review your phone's security to be safe.
I am stuck on the 7-day wait. Can I speed it up? No. If a two-step PIN was set with no recovery email, the 7-day wait is enforced for security and cannot be bypassed. Adding an email after you recover prevents this next time.
How do I stop this happening again? Turn on two-step verification with a recovery email, never share your 6-digit code, set a PIN or biometric lock on your SIM and phone, and be wary of anyone urgently asking for a code.
Official WhatsApp help:
- How to recover a compromised account
- How to recover a WhatsApp account from a lost or stolen device
- How to reset your two-step verification PIN
- About two-step verification
- How to check linked devices and unlink one you do not recognise
If money was stolen or you need to report the crime, see our cybercrime help hub for country-by-country reporting and recovery steps.