What is GhostPairing on WhatsApp?

GhostPairing is a WhatsApp account takeover scam where cybercriminals trick you into pairing your account with their device. They can then read your chats, send messages from your number, and target your contacts next.

Below you’ll see how the scam usually plays out, the risks involved, and the main warning signs that your account’s been exposed. We’ll also cover some useful prevention tips and what to do if you’ve already been hit.

Learn what GhostPairing is, how it works, and how to stay safe.

What is GhostPairing?

In December 2025, researchers at Gen discovered GhostPairing, a cyberattack that uses phishing and social engineering to trick victims into linking their WhatsApp accounts to the attacker’s device.

GhostPairing exploits the fact that people expect quick replies and don’t really double-check links from familiar names. Once attackers gain access, they can use your account to reach your contacts and extend the scam further.

How does GhostPairing work?

GhostPairing uses a fake login page and WhatsApp’s own device-linking feature to give scammers control of your account. The process looks routine, which is why it’s easy to miss until the damage is done. Here’s how it works, step-by-step:

1. You receive a message from a trusted contact

A contact who has already been hacked may send you an eye-catching message like “Hey, your pic’s on the news!” followed by a link. The link preview might show “Facebook post”, “Facebook login” or similar descriptions to appear legitimate at first glance.

In reality, the URL leads to “photobox.life”, “yourphoto.world”, or other similarly-worded scam domains. Gen’s findings suggest a kit-based approach, where attackers reuse the same layout and just rotate domains when needed.

2. Clicking through takes you to a fake login

Clicking the phishing link opens a page that copies a Meta login screen, which asks for your phone number to sign in. The layout looks familiar, so it feels like a standard account check. After you enter your number, the site triggers WhatsApp’s real device-linking process in the background.

3. You’re asked to “verify” your device

The fake login page displays a numeric code and asks you to confirm it via WhatsApp to “finish the login process.” After you enter your number, WhatsApp sends a real pairing request. The site shows that code and asks you to enter it, which connects the attacker’s device to your account.

4. Attackers can now access your WhatsApp account

Once you enter the final code, the attacker’s device can connect to your account like any other paired device. From that point, they can read your messages and send new ones through your account until you manually unlink it or reset access.

Can GhostPairing attacks use QR code linking?

You can approve a new device with QR scanning, so QR-based linking should work, in theory. If you scan a code on a malicious page, you’d basically be granting the attacker access via WhatsApp Web or a desktop session.

That said, scammers wouldn’t bother with this method due to the unnecessary friction it adds. You’d need a separate screen or device just to scan the QR code, and at that point, most people would tell that something is off. That, or say they can’t be bothered and ask for a screenshot of their supposed news feature.

Most campaigns stick to phone-number prompts and verification codes since those work on a single phone and move people through the scam faster. Still, it’s worth keeping in mind.

The risks of GhostPairing

GhostPairing gives attackers full access to your WhatsApp, which opens the door to account misuse, data theft, and a fresh list of contacts to scam:

• Account takeover: The most obvious danger is that attackers can now control your messages and account settings without you noticing.
• Identity theft scams: If you often share ID numbers, addresses, or other sensitive data, hackers may use them to open accounts in your name or pass checks that rely on personal info.
• Financial fraud: Attackers may message your contacts with payment requests, copying your writing style to appear legitimate.
• Blackmail and extortion: Hackers can collect your private images and messages and threaten to share them unless you pay up. If they find any intimate media, you may end up in a sextortion scheme.
• Business account abuse: Scammers can message customers, take over sales chats, and send fake payment details that can hurt trust in your business and cost you sales.

Warning signs that your WhatsApp was compromised

GhostPairing often leaves traces if you know where to look. These warning signs can help you catch unauthorized access before it becomes a bigger problem:

• Unknown linked devices: Tap the three dots on the top right and select Linked devices. If you see a computer, browser, or location you do not recognize, someone may have connected to your account without permission.
• Messages marked as read: Chats may show the blue “seen” ticks even though you never opened them, which may indicate an attacker is reading them.
• Sudden battery drain: Your battery may drain faster than usual if WhatsApp runs in the background more often, since a linked device can keep chat syncing active.
• Contacts reporting strange texts: Friends, family, or co-workers may tell you they got odd links, money requests, or weird replies. Act fast if that’s the case, as scammers may be using your account to trick others.
• Deleted chats or messages: You may notice missing threads, cleared chat history, or messages removed mid-conversation. Attackers sometimes delete evidence after reading or copying your chats.

How to protect yourself against GhostPairing

Following a few basic internet safety habits can block most GhostPairing attempts. Here’s what to do:

• Double-check links before clicking: Ensure the URL you’re accessing is legitimate (e.g., facebook.com vs facebook.login.com) and doesn’t have an unusual domain suffix (e.g., fotoface.top, yourphoto.life).
• Review your linked devices often: Check your list regularly and log out right away if you see anything unfamiliar, before attackers can read or sync new chats.
• Never scan QR codes for “verification”: One of the risks of QR codes is that they can link your WhatsApp to another device in seconds. If a page asks you to scan one to “verify you,” it’s likely a scammer trying to access your account.
• Enable two-factor authentication (2FA): Go to Settings > Account > Two-step verification, then tap Turn on and create a PIN. This adds a safety net in case someone tries to steal your account.
• Turn on security notifications: Tap the three dots on the top right, then go to Settings > Account > Security notifications and turn on Show security notifications on this device. WhatsApp will then warn you when it changes encryption keys, a sign that someone may be messing with your account.
• Keep your OS and WhatsApp updated: Updates patch security bugs and fix weak points attackers rely on. Install them as soon as possible, especially for messaging apps.

What to do if you’ve fallen for a GhostPairing scam

It’s easy to fall for a GhostPairing scam when the message comes from someone you trust. Don’t beat yourself up over it; just follow this checklist to minimize the damage:

• Unlink all devices: First things first, cut off the attacker’s access. Press the three dots on the top right, then Linked devices, and tap any unknown entries to log them out.
• Alert your contacts: Tell friends and family to ignore recent messages, especially money requests or links. This stops scammers from using your account to trap more people.
• Lock down your financial accounts: Check your banking apps, cards, and payment accounts for suspicious activity. Change passwords and call your bank if you see transfers you did not approve.
• File an anti-fraud report: Report the incident to your bank, your carrier, and any local cybercrime or fraud reporting service (like the FTC, the FBI’s IC3, or Report Fraud). Keep a paper trail in case you need it later.
• Expect further scam attempts: Scammers often come back with follow-up messages, fake support calls, or “recovery” offers. Treat any urgent request as suspicious for the next few days.

What is GhostPairing? FAQs

Also read:

• Is WhatsApp secure?
• How to recognize and avoid WhatsApp scams
• Common Telegram scams and how to avoid them