The ghosts of WhatsApp: How GhostPairing hijacks accounts

Researchers have found an active campaign aimed at taking over WhatsApp accounts. They’ve called this attack GhostPairing because it tricks the victim into completing WhatsApp’s own device-pairing flow, silently adding the attacker’s browser as an invisible linked device on the account.

Ghost of WhatsApp Past: When it was just you

Device pairing lets WhatsApp users add additional devices to their account so they can read and reply to messages from a laptop or through WhatsApp Web.

Compared to similar platforms, WhatsApp’s main strengths are its strong end-to-end encryption and seamless cross-platform use. But cybercriminals have found a way to abuse that cross-platform use to bypass the encryption.

In the Ghost of WhatsApp Past, everything looks normal. It’s just you and the devices you meant to connect. The same mechanism that makes life easier later gets abused to let in an uninvited guest. And that renders the end-to-end encryption useless when the attacker gains direct access to the account.

Ghost of WhatsApp Present: The “I found your photo” moment

So, all is well. Until the target receives a message along the lines of “Hey, check this, I found your photo!” accompanied by a link.

The link, and the website it leads to, are designed to look like they belong to Facebook (which, like WhatsApp, is owned by Meta).

Image courtesy of Gen Digital

This fake login page provides instructions to log in with their phone number to continue or to verify before viewing the photo. The scammers then use the provided phone number to submit a WhatsApp “device pairing” request for it.

The researchers observed two variants of the attack. One that provides a QR code to scan with WhatsApp on your phone. The other sends a numeric code and tells the user to enter it into WhatsApp to confirm a login.

In the second scenario, the victim opens WhatsApp, sees the pairing prompt, types the code, and believes they are completing a routine verification step, when in fact they have just linked the attacker’s browser as a new device.

This is the attacker’s preferred approach. In the first, the browser-based QR-code occurs on the same device as the WhatsApp QR-code scan—QR codes normally expect a second device—and might give people the chance to think about what’s really going on.

Ghost of WhatsApp Future: When the ghost settles in

With the new access to your WhatsApp account, the criminals can:

• Read all your new and synced messages.
• Download photos, videos, and voice notes.
• Send the same “photo” lure to your contacts and spread the scam.
• Impersonate you in direct and group chats.
• Harvest messages, images, and other information to use in future scams, social engineering, and extortion.

And they can do much of this before the real account owner notices that something is wrong.

What Scrooge can learn from all this

It’s not the first time scammers have used tricks like these to take over accounts. Facebook has seen many waves of similar scams.

There are a few basic measures you can take to avoid falling for lures like these.

• Don’t follow unsolicited links sent to you, even if they’re from an account you trust. Verify with the sender that it’s safe. In some cases, you’ll be helpfully warning them their account is compromised.
• Enable Two‑Step Verification in WhatsApp. This adds a PIN that attackers cannot set or change, reducing the impact of other takeover techniques.
• Read prompts and notifications. Many of us have trained ourselves to click all the right buttons to get through the flow as quickly as possible without reading what they’re actually doing, but it’s a dangerous habit.

If you have fallen victim to this, here’s what to do.

• Tell your WhatsApp contacts that your account may have been abused and not to click any “photo” links or verification requests that might have come from you.
• Immediately revoke access: go to Settings → Linked Devices and log out of all browsers and desktops you do not explicitly use. When in doubt, remove everything and re‑link only the devices you own.

We don’t just report on threats – we help protect your social media

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

About the author

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.