Cybersecurity researchers have identified a new social engineering technique known as GhostPairing, which allows criminals to access WhatsApp accounts without directly stealing passwords, one-time passwords or authentication credentials.
Instead of exploiting a software vulnerability, the scam manipulates victims into authorising an attacker-controlled browser as a trusted device through WhatsApp’s legitimate Linked Devices feature.
Once connected, the attacker may be able to:
- Read private messages
- Monitor ongoing conversations
- View shared media
- Send messages from the victim’s account
- Impersonate the account holder
- Target friends, relatives and business contacts
Because the victim’s original phone continues to function normally, the compromise may remain unnoticed for an extended period.
Scam Begins With a Trusted-Looking Message
According to cybersecurity firm Gen Digital, which reportedly identified the campaign in Czechia in late 2025, the attack usually begins with a short message appearing to come from a known contact.
The message may claim that the sender has discovered a photograph of the recipient and include a social media-style link preview.
Because the message comes from an already compromised account belonging to a friend or relative, recipients may be more likely to trust and open it.
Fake Photo Page Requests Verification
After clicking the link, the victim is redirected to a simplified webpage designed to resemble a recognised social media platform.
The page claims that the user must verify their identity or continue through an authentication process before viewing the alleged photograph.
The victim is then asked to enter their mobile phone number.
However, rather than verifying access to any photograph, the fraudulent website reportedly sends the number to WhatsApp’s legitimate device-pairing system.
Legitimate Pairing Code Becomes the Trap
WhatsApp generates a device-linking code intended to allow the account holder to connect a browser or another device.
The scam website reportedly captures this process and presents the pairing code to the victim as though it were an ordinary verification code required to view the content.
When the victim follows the instructions and enters the code inside WhatsApp, they unknowingly approve the attacker’s browser as a linked device.
The criminal gains access without requiring the victim to disclose:
- Their WhatsApp password
- An SMS OTP
- A two-step verification PIN
- Their mobile SIM card
The victim technically authorises the connection themselves, although they do so under false pretences.
Original Phone Continues Working Normally
One reason GhostPairing may remain undetected is that the victim is not automatically logged out.
Their WhatsApp application may continue operating normally while the attacker simultaneously accesses the account from another device.
Unless the unfamiliar session is manually removed, the attacker may retain access to:
- New messages
- Existing conversations
- Shared photographs and documents
- Contact information
- Group discussions
This creates the possibility of long-term surveillance and impersonation.
Scam Spreads Through Genuine Contacts
GhostPairing differs from ordinary phishing because it spreads through real social relationships.
After compromising one WhatsApp account, attackers can send the same fraudulent message to that person’s genuine contacts.
Recipients are more likely to trust a message received from:
- A friend
- A family member
- A colleague
- A customer
- A business associate
Researchers describe this trust-based expansion as a snowball effect, with each compromised account helping the fraud spread further.
Reusable Phishing Kits May Support Campaign
Researchers reportedly identified signs that the operation may rely on reusable phishing kits.
Such kits may allow criminals to:
- Change fraudulent domains quickly
- Localise messages into different languages
- Replace photographs and social media themes
- Replicate the attack across multiple countries
- Continue operations when individual websites are blocked
Although the scam was initially detected through Czech-language messages, the technique itself can reportedly be adapted for users worldwide, including in India.
Attackers Monitor Conversations Before Acting
After obtaining access, criminals may not immediately send fraudulent messages.
They can first observe the victim’s conversations to understand:
- Personal relationships
- Writing style
- Financial discussions
- Business dealings
- Upcoming payments
- Names of relatives and colleagues
This information enables attackers to create more convincing impersonation attempts.
Compromised Accounts Used for Financial Fraud
Once sufficient information is collected, attackers may use the trusted WhatsApp account to:
- Request emergency financial help
- Promote fake investment opportunities
- Ask contacts to transfer money
- Share malicious links
- Collect personal documents
- Conduct identity-related scams
Because the messages originate from the victim’s genuine account, recipients may not immediately recognise the fraud.
Businesses Also Face Serious Risk
GhostPairing can create significant risks in corporate environments.
A compromised employee, vendor or executive account may be used to conduct:
- Fake payment requests
- Invoice manipulation
- Executive impersonation
- Vendor fraud
- Targeted phishing
- Confidential data theft
An attacker who monitors business conversations may be able to time fraudulent instructions around genuine payments or commercial transactions.
How to Check for Unfamiliar Linked Devices
WhatsApp users should regularly review the devices connected to their accounts.
Users can open:
WhatsApp Settings → Linked Devices
Any browser, computer or device that is not recognised should be removed immediately.
Users should also treat unexpected device-linking codes, QR codes and verification instructions as suspicious.
Essential Protection Measures
Cybersecurity experts recommend that users:
- Never approve a device-linking request received through an external website.
- Never scan an unknown QR code claiming to verify a WhatsApp account.
- Regularly check the Linked Devices section.
- Remove unfamiliar sessions immediately.
- Enable WhatsApp Two-Step Verification.
- Protect the phone with a strong screen lock.
- Avoid sharing screen access with unknown support agents.
- Independently verify unusual financial requests.
It is also important to remember that a message from a known account may still be fraudulent if that account has already been compromised.
Businesses Should Verify Payment Instructions Separately
Organisations should not rely exclusively on WhatsApp for approving financial transactions.
Unusual payment requests should be confirmed through an independent channel, such as:
- A direct phone call
- Official corporate email
- Internal approval software
- Face-to-face verification
This is especially important when instructions involve:
- Changes to bank accounts
- Urgent fund transfers
- New beneficiaries
- Confidential financial information
Human Trust Remains the Main Vulnerability
GhostPairing demonstrates how modern cybercrime can misuse legitimate technology without technically breaking into a system.
The attack succeeds because victims are persuaded to authorise the criminal’s device themselves.
This makes user awareness, independent verification and regular account monitoring essential components of WhatsApp security.
Shunyatax Global Insight
Shunyatax Global says that two-factor authentication alone may not prevent fraud when users are manipulated into approving a legitimate device-linking request. Individuals and businesses should regularly audit linked sessions and treat every unexpected verification instruction as a potential account takeover attempt. Financial requests received through messaging applications should always be confirmed through an independent communication channel before any payment is made.