GhostPairing campaign abuses WhatsApp device linking to hijack accounts

Attackers abuse WhatsApp’s device-linking feature to hijack accounts via pairing codes in the GhostPairing campaign.

Attackers are exploiting WhatsApp’s device-linking feature to hijack accounts using pairing codes in a campaign dubbed GhostPairing, without requiring authentication.

Gen Digital first observed the GhostPairing campaign in Czechia, but warns that it can spread globally via compromised accounts.

The attack chain begins with victims receiving a message, such as “Hey, I just found your photo!”, from a trusted contact. The message contains a link with a Facebook-style preview.

The links used in the attack led to fake Facebook lookalike domains, not real Facebook sites, using photo-related names and misleading login paths.

The link leads to a fake Facebook viewer that prompts users to “verify” to see the content. By following a short, seemingly harmless sequence of steps, victims unknowingly grant attackers full access to their WhatsApp accounts, without any password theft or SIM swap.

Clicking the WhatsApp link takes victims to a minimal fake Facebook page designed to build trust and prompt verification.

The page acts as a control layer, abusing WhatsApp Web rather than Facebook. Victims are shown either a QR code or, more often, a numeric code to enter in WhatsApp.

Attackers trick victims into entering the code to link a new device, a warning many users overlook.

By completing this step, users unknowingly link the attacker’s browser as a trusted device, giving full access to messages, photos, and account activity.

In a nutshell, the GhostPairing attack tricks users into approving an attacker’s browser as an additional, invisible device via a pairing code that appears legitimate.

Once a device is linked, attackers gain full WhatsApp Web access without further exploits. They can read synced chats, receive messages in real time, download media, collect sensitive information, impersonate victims, and spread lures to contacts. The victim’s phone continues working normally, making the compromise hard to detect. Many users remain unaware that a second device is linked, allowing attackers to silently monitor conversations. Access may persist unless victims manually review settings and remove unknown linked devices.

GhostPairing spreads by exploiting trusted relationships: attackers use compromised accounts to send short, credible lures to victims’ contacts and groups. The method avoids suspicion, relies on legitimate WhatsApp features, and creates persistent access via linked devices. By riding existing trust rather than phishing passwords, attackers can expand rapidly, monitor conversations, and enable follow-on fraud, impersonation, or extortion.

“Several aspects of this technique are worth highlighting. First, it does not rely on stealing secrets. There is no password phish, no SMS interception, no direct authentication bypass. Everything happens inside the boundaries of the feature set that WhatsApp intended.” reads the report published by Gen Digital.

“Second, the lure is highly plausible. For many users, the idea that “Facebook wants you to confirm something in WhatsApp” does not sound obviously wrong. Codes and QR scans have become part of everyday online life, especially on mobile.”

Analysis shows the GhostPairing campaign relies on a reusable scam kit, with identical templates and photo-themed domains easily swapped when blocked. This kit-like model enables rapid, scalable abuse. Users can protect themselves by regularly checking and removing unknown linked devices in WhatsApp, treating QR or numeric code requests from websites as suspicious, enabling two-step verification, and sharing awareness. Platforms could reduce abuse through clearer device-linking warnings, richer context on pairing requests, rate limiting, and faster revocation of linked sessions after abuse.

“The technique is not limited to one country or one platform. Any service that allows device pairing through QR codes or numeric codes is a potential candidate for similar abuse.” concludes the report. “GhostPairing Attacks are a good example of how social engineering and legitimate features combine into very effective compromises. The attacker never breaks encryption, they simply convince the user to invite them in as a linked device.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, WhatsApp)