A new scam called GhostPairing hijacks WhatsApp accounts by abusing the app's legitimate device-linking feature, requiring no stolen passwords or OTPs to succeed.

WhatsApp’s GhostPairing Scam Steals Access Without a Password

The420 Web Correspondent
5 Min Read

Cybercriminals have introduced a new social engineering technique called GhostPairing to target WhatsApp users worldwide. Instead of exploiting a software vulnerability or stealing passwords and OTPs, the scam abuses WhatsApp’s legitimate Linked Devices feature. If a user is tricked into linking an unfamiliar device to their account, the attacker can read private messages, monitor conversations, send messages while impersonating the victim, and use the trusted account to carry out financial fraud or identity-related scams.

How the Attack Actually Tricks a Victim

Cybersecurity firm Gen Digital, which first identified the campaign in Czechia in late 2025, found the attack begins with a short message from what appears to be a known contact, typically along the lines of “Hey, I just found your photo!”, accompanied by a link carrying a Facebook-style preview. Tapping it leads to a stripped-down page using Facebook branding that invites the user to “verify” or “continue” before viewing the supposed photo.

The page then asks the victim to enter their phone number, which it silently forwards to WhatsApp’s own legitimate device-linking endpoint. WhatsApp generates a pairing code intended solely for the account owner, but the attacker’s site intercepts that code and displays it back to the victim, framed as a verification step needed to see the photo. When the victim opens WhatsApp and enters the code as instructed, they unknowingly link the attacker’s browser as a trusted device on their own account, all without ever revealing a password or OTP to anyone.

Why It Spreads Faster Than Ordinary Phishing

Because the victim’s original phone continues functioning entirely normally, many remain unaware a second device has silently joined their account, and researchers note that unless the linked device is manually removed, the connection remains active indefinitely, giving attackers potentially long-term, undetected access to conversations and media.

What makes GhostPairing especially effective is that it propagates through genuine social connections rather than random spam. Once an attacker gains access to one account, they can forward the same photo lure to that victim’s real contacts, who are naturally far more likely to trust a message appearing to come from someone they know. Gen Digital describes this trust-based propagation as allowing the campaign to grow like a snowball, with each newly compromised account unwittingly recruited to expand the operation further. Researchers also found signs the technique may be powered by a reusable phishing kit with swappable, photo-themed lookalike domains, a kit-based model that lets the scam continue scaling even as individual fraudulent domains get blocked. Though first observed in Czech-language messages, the underlying infrastructure and templates are language-agnostic, meaning the same technique can be easily localised and deployed against users anywhere, including India.

What Attackers Do Next, and How to Stay Protected

After gaining access, attackers often monitor conversations first, learning a victim’s relationships, communication style and ongoing discussions before impersonating them to request emergency financial assistance, promote fake investment opportunities, or deceive friends, family and colleagues into transferring money. In corporate settings, compromised accounts can similarly facilitate invoice fraud, executive impersonation and targeted phishing against business partners.

Experts associated with the Future Crime Research Foundation said GhostPairing illustrates how modern cybercrime increasingly exploits human trust rather than technical weaknesses, and advised users to never scan unknown QR codes or approve device-linking requests claiming to “secure” or “verify” an account without independently confirming the request first. They recommended regularly checking WhatsApp’s Linked Devices section under Settings and immediately removing any unfamiliar session, enabling Two-Step Verification, securing devices with a strong screen lock, and never sharing OTPs or screen access with anyone claiming to offer technical support.

Organisations were further encouraged to require employees to confirm unusual payment requests through a phone call or other independent channel rather than relying solely on WhatsApp messages, since compromised accounts of colleagues or vendors can now convincingly impersonate legitimate business communication.

Stay Connected