Skip to Content
Add Network with Us — Join Membership


WhatsApp’s GhostPairing Scam Steals Account Access Without Passwords or OTPs

Cybercriminals exploit WhatsApp’s legitimate Linked Devices feature to secretly access private conversations, impersonate users and target their trusted contacts.
July 17, 2026 by
WhatsApp’s GhostPairing Scam Steals Account Access Without Passwords or OTPs
Administrator

Cybersecurity researchers have identified a new social engineering technique known as GhostPairing, which allows criminals to access WhatsApp accounts without directly stealing passwords, one-time passwords or authentication credentials.

Instead of exploiting a software vulnerability, the scam manipulates victims into authorising an attacker-controlled browser as a trusted device through WhatsApp’s legitimate Linked Devices feature.

Once connected, the attacker may be able to:

  • Read private messages
  • Monitor ongoing conversations
  • View shared media
  • Send messages from the victim’s account
  • Impersonate the account holder
  • Target friends, relatives and business contacts

Because the victim’s original phone continues to function normally, the compromise may remain unnoticed for an extended period.

Scam Begins With a Trusted-Looking Message

According to cybersecurity firm Gen Digital, which reportedly identified the campaign in Czechia in late 2025, the attack usually begins with a short message appearing to come from a known contact.

The message may claim that the sender has discovered a photograph of the recipient and include a social media-style link preview.

Because the message comes from an already compromised account belonging to a friend or relative, recipients may be more likely to trust and open it.

Fake Photo Page Requests Verification

After clicking the link, the victim is redirected to a simplified webpage designed to resemble a recognised social media platform.

The page claims that the user must verify their identity or continue through an authentication process before viewing the alleged photograph.

The victim is then asked to enter their mobile phone number.

However, rather than verifying access to any photograph, the fraudulent website reportedly sends the number to WhatsApp’s legitimate device-pairing system.

Legitimate Pairing Code Becomes the Trap

WhatsApp generates a device-linking code intended to allow the account holder to connect a browser or another device.

The scam website reportedly captures this process and presents the pairing code to the victim as though it were an ordinary verification code required to view the content.

When the victim follows the instructions and enters the code inside WhatsApp, they unknowingly approve the attacker’s browser as a linked device.

The criminal gains access without requiring the victim to disclose:

  • Their WhatsApp password
  • An SMS OTP
  • A two-step verification PIN
  • Their mobile SIM card

The victim technically authorises the connection themselves, although they do so under false pretences.

Original Phone Continues Working Normally

One reason GhostPairing may remain undetected is that the victim is not automatically logged out.

Their WhatsApp application may continue operating normally while the attacker simultaneously accesses the account from another device.

Unless the unfamiliar session is manually removed, the attacker may retain access to:

  • New messages
  • Existing conversations
  • Shared photographs and documents
  • Contact information
  • Group discussions

This creates the possibility of long-term surveillance and impersonation.

Scam Spreads Through Genuine Contacts

GhostPairing differs from ordinary phishing because it spreads through real social relationships.

After compromising one WhatsApp account, attackers can send the same fraudulent message to that person’s genuine contacts.

Recipients are more likely to trust a message received from:

  • A friend
  • A family member
  • A colleague
  • A customer
  • A business associate

Researchers describe this trust-based expansion as a snowball effect, with each compromised account helping the fraud spread further.

Reusable Phishing Kits May Support Campaign

Researchers reportedly identified signs that the operation may rely on reusable phishing kits.

Such kits may allow criminals to:

  • Change fraudulent domains quickly
  • Localise messages into different languages
  • Replace photographs and social media themes
  • Replicate the attack across multiple countries
  • Continue operations when individual websites are blocked

Although the scam was initially detected through Czech-language messages, the technique itself can reportedly be adapted for users worldwide, including in India.

Attackers Monitor Conversations Before Acting

After obtaining access, criminals may not immediately send fraudulent messages.

They can first observe the victim’s conversations to understand:

  • Personal relationships
  • Writing style
  • Financial discussions
  • Business dealings
  • Upcoming payments
  • Names of relatives and colleagues

This information enables attackers to create more convincing impersonation attempts.

Compromised Accounts Used for Financial Fraud

Once sufficient information is collected, attackers may use the trusted WhatsApp account to:

  • Request emergency financial help
  • Promote fake investment opportunities
  • Ask contacts to transfer money
  • Share malicious links
  • Collect personal documents
  • Conduct identity-related scams

Because the messages originate from the victim’s genuine account, recipients may not immediately recognise the fraud.

Businesses Also Face Serious Risk

GhostPairing can create significant risks in corporate environments.

A compromised employee, vendor or executive account may be used to conduct:

  • Fake payment requests
  • Invoice manipulation
  • Executive impersonation
  • Vendor fraud
  • Targeted phishing
  • Confidential data theft

An attacker who monitors business conversations may be able to time fraudulent instructions around genuine payments or commercial transactions.

How to Check for Unfamiliar Linked Devices

WhatsApp users should regularly review the devices connected to their accounts.

Users can open:

WhatsApp Settings → Linked Devices

Any browser, computer or device that is not recognised should be removed immediately.

Users should also treat unexpected device-linking codes, QR codes and verification instructions as suspicious.

Essential Protection Measures

Cybersecurity experts recommend that users:

  • Never approve a device-linking request received through an external website.
  • Never scan an unknown QR code claiming to verify a WhatsApp account.
  • Regularly check the Linked Devices section.
  • Remove unfamiliar sessions immediately.
  • Enable WhatsApp Two-Step Verification.
  • Protect the phone with a strong screen lock.
  • Avoid sharing screen access with unknown support agents.
  • Independently verify unusual financial requests.

It is also important to remember that a message from a known account may still be fraudulent if that account has already been compromised.

Businesses Should Verify Payment Instructions Separately

Organisations should not rely exclusively on WhatsApp for approving financial transactions.

Unusual payment requests should be confirmed through an independent channel, such as:

  • A direct phone call
  • Official corporate email
  • Internal approval software
  • Face-to-face verification

This is especially important when instructions involve:

  • Changes to bank accounts
  • Urgent fund transfers
  • New beneficiaries
  • Confidential financial information

Human Trust Remains the Main Vulnerability

GhostPairing demonstrates how modern cybercrime can misuse legitimate technology without technically breaking into a system.

The attack succeeds because victims are persuaded to authorise the criminal’s device themselves.

This makes user awareness, independent verification and regular account monitoring essential components of WhatsApp security.

Shunyatax Global Insight

Shunyatax Global says that two-factor authentication alone may not prevent fraud when users are manipulated into approving a legitimate device-linking request. Individuals and businesses should regularly audit linked sessions and treat every unexpected verification instruction as a potential account takeover attempt. Financial requests received through messaging applications should always be confirmed through an independent communication channel before any payment is made.

in News
Share this post
Archive