The Invisible Roommate: How the GhostPairing Scam Steals Your WhatsApp Without a Password

Researchers at Gen have reported a new WhatsApp account-takeover technique dubbed GhostPairing. The attack appears mundane and arouses little suspicion, yet it ultimately grants attackers full access to a victim’s chats, media files, and contacts—without cracking passwords or intercepting SMS messages.

The campaign was first observed in the Czech Republic, where compromised accounts began sending brief messages to familiar contacts. These messages typically referred to a supposed photo and included a link presented as a Facebook-style preview. Clicking it led to a simple page styled with Facebook’s branding, prompting the user to “confirm” an action before viewing the content.

In reality, these sites had no affiliation with Facebook. They relied on photo- and post-themed domain names and acted as intermediaries to WhatsApp’s legitimate infrastructure. Victims were guided through the process of linking a new device, which was disguised as a routine verification step. In one variant, a QR code was displayed; in another, users were shown a numeric code and instructed to enter it in the app.

The defining feature of the attack is that the victim personally authorizes the connection of an unauthorized device. Using WhatsApp’s phone-number pairing function, the site submits the number to WhatsApp, retrieves a pairing code, and displays it to the victim with instructions to enter it in the application. As a result, the attacker’s browser is added as a linked device and gains the same privileges as a standard WhatsApp Web session.

From that point on, the attacker can read past and incoming messages, view and download media, harvest sensitive information, and distribute new lures in the account holder’s name. Meanwhile, the primary phone continues to function normally, and the presence of the additional device often goes unnoticed unless the user checks the list of linked sessions in settings.

The scheme spreads by exploiting interpersonal trust. Once attackers compromise a single account, they send the same short messages to that user’s contacts and group chats. The brevity and lack of explanation lower suspicion, allowing the attack to propagate rapidly.

The report’s authors note that GhostPairing relies entirely on legitimate service features and requires no theft of secrets. The risk is amplified by the fact that linked devices retain access until manually removed. They suggest that clearer warnings during device linking, more detailed notifications about new sessions, and limits on mass pairing attempts could help mitigate the threat.

Although this case involves WhatsApp, the underlying attack model extends beyond any single application. Any service that relies on rapid pairing via codes or confirmations on a primary device may be susceptible to similar abuse. GhostPairing serves as a cautionary example of how the combination of social engineering and legitimate functionality can enable subtle, long-lasting account compromise.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy