GhostPairing Attacks: from phone number to full access in WhatsApp

Gen has discovered a novel WhatsApp account takeover campaign that we refer to as GhostPairing Attack. On the surface it looks very simple. Victims receive a message from one of their contacts, usually something along the lines of:

“Hey, I just found your photo!”

The message includes a link that appears as a Facebook style preview. When users open it, they see a page that imitates a Facebook viewer and asks them to “verify” before they can see the content.

What follows is a small sequence of steps that many people complete without thinking. At the end of that sequence, an attacker has full access to the victim’s WhatsApp account without stealing a single password.

This article explains what we observed, how the attack works in practice, which infrastructure is involved, and what users can do to protect themselves.

We use the term GhostPairing Attack because the victim is tricked into completing WhatsApp’s own device pairing flow, adding the attacker’s browser as an invisible extra device on their account. There is no password theft or SIM swap – instead, the user approves the attacker themselves by entering a pairing code that looks like normal verification. 

What we observed in the wild

The campaign was first noticed in Czechia, where compromised accounts started sending short, informal messages to local contacts. The wording varied slightly, but the structure remained the same. The messages were brief, usually mentioning a photo, and included a link that rendered as a Facebook element inside WhatsApp.

The domains behind these links were not Facebook at all. Instead, they belonged to a cluster of lookalike sites with names related to photos or posts, for example:

• photobox[.]life
• postsphoto[.]life
• yourphoto[.]life
• photopost[.]live
• yourphoto[.]world
• top-foto[.]life
• fotoface[.]top

Paths often included strings like /login/post.com or /login/facepost.com, which helped maintain the illusion that the user was dealing with some kind of Facebook login or content viewer.

Although our earliest sightings are in Czech, nothing in the attack depends on the language. The same template can be reused for any country simply by changing the text of the lure.

The fake viewer that is not about Facebook at all

When a user clicks the link within the WhatsApp message, they land on a very minimal page. It usually carries the Facebook logo and colors, a stripped down layout and a button that invites them to continue or verify before they can see the photo.

This page has two purposes.

 First, it creates a sense of familiarity that encourages the user to trust the page. People expect Facebook to ask for some kind of confirmation from time to time. Seeing a login button or a verification step feels normal.

Second, it acts as the attacker’s control panel. The page is not connecting with Facebook but rather mediating between the victim and the legitimate WhatsApp Web infrastructure that the attacker is abusing.

Depending on the variant, the next screen either:

• shows a QR code and tells the user to scan it with WhatsApp, or
• shows a numeric code and tells the user to enter it into WhatsApp to confirm a login.

Both flows lead to the same outcome, but later we’ll show why the QR code is rarely used in favor of the numeric code. The attacker gets their browser registered as a linked device on the victim’s WhatsApp account, where they have complete control over personal messages, photos and everything else a person does on the WhatsApp platform.

A quick primer on WhatsApp device linking/pairing

To understand the abuse, it helps to look briefly at how device linking in WhatsApp is supposed to work.

When people use WhatsApp Web or the desktop client, they are not creating a separate account. They are linking a new device to their existing account. WhatsApp offers more than one way to do this:

1. The one most people know: open WhatsApp, scan a QR code shown on the desktop or browser, and approve the new session.
2. A less visible option: link a device using the account’s phone number and a numeric pairing code that the user has to confirm in the app.

Both are legitimate features, and both are meant to make it easier to connect a new laptop or browser without constantly re-entering credentials. Additionally, both can be repurposed if someone convinces the account owner to cooperate.

The campaign we analyzed does exactly that.

QR based linking – possible, but a fringe scenario

On paper, attackers could run the same scam using WhatsApp’s QR based device linking. In our tests, this works technically, but it is much less practical for real victims.

To abuse this flow, an attacker would open WhatsApp Web in their own browser, capture the QR code shown there and embed it into the fake Facebook viewer page. The victim would then be told to open WhatsApp, go to Linked devices and scan that QR in order to “view the photo”. From WhatsApp’s perspective, the account owner has just approved a new linked device, and the attacker’s browser receives a fully authorized session.

In practice, however, there is a big usability problem. Most people run both WhatsApp and the browser on the same phone. Scanning a QR that is displayed on the very device you are using is awkward at best, and often impossible without a second screen, another phone or a tablet. We have all seen edge cases where this happens in legitimate contexts, but it is not something you would build a mass scam around.

That is why, in the activity we have observed, attackers rely on the phone number and pairing code flow instead. It produces the same end result but feels like a normal two step verification process and can be completed entirely on a single device, which makes it far more attractive for large scale abuse.

Abusing phone number and pairing codes

The numeric code variant is slightly more complex and arguably more dangerous, because it resembles two factor authentication even more closely. It is also the most common way the scam plays out.

Here, the fake page encourages the user to enter their phone number. It then acts as a proxy to the real WhatsApp device linking endpoint.

The behind-the-scenes sequence looks like this:

1. The victim types their phone number on the fake page.
2. The page forwards that number to WhatsApp’s legitimate “link device via phone number” feature.
3. WhatsApp generates a pairing code that is meant to be seen only by the account owner.
4. The attacker’s site takes that code and displays it back to the victim with text that suggests they should “enter this in WhatsApp to confirm the login and see the photo.”
5. The victim opens WhatsApp, sees the pairing prompt and enters the code, believing they are completing a security check.

From the victim’s point of view, this feels like a standard verification process. They have seen similar flows in many other services.

From WhatsApp’s point of view, the owner of the account has just approved a new linked device using the correct code.

Again, the end result is that the attacker’s browser becomes a trusted device for that account.

What the attacker can do once linked

After their device is linked, the attacker does not need to exploit anything else. They have the same capabilities that any user has when connecting WhatsApp Web on their own computer.

In practice, this includes:

• Reading historical conversations, subject to what has been synced.
• Receiving new messages in real time.
• Viewing and downloading media such as photos, videos and voice notes.
• Collecting sensitive information shared between friends: addresses, email addresses, codes, links, which can later be misused or resold.
• sending messages to individuals and groups as if they were the victim.
• forwarding the same lure to many contacts with very little effort.

This is not traditional account hijacking in the sense of changing passwords or locking the owner out. The phone continues to work normally. Many victims are unaware that a second device has been added in the background, which is what makes the scam even more dangerous – criminals are hiding in your account, watching your every conversation without you even knowing it.

In our observations, that restriction does not consistently clear the linked session. Unless the victim goes into Settings and removes unknown devices, the attacker may retain access.

How victims then become GhostPairing attackers

The propagation mechanism is simple and effective because it is rooted in real relationships.Once an attacker has access to one account, they can use it to distribute the lure text that we mentioned previously to that person’s contacts and groups. Family chats, school groups, sports teams and work-related conversations are all opportunities.

Recipients see a very short, informal message coming from someone they know. There is no unfamiliar phone number, no obvious formatting errors, no long explanation. This minimal style typically avoids suspicion.

Some recipients click, some do not. Those who do and complete the linking step become new compromised accounts. They, in turn, can be used to reach fresh sets of contacts that the original attacker did not know existed – the attack expands like a snowball.

This is what makes the campaign efficient. It does not rely on cold spam. It rides existing trust.

Why this approach is concerning

Several aspects of this technique are worth highlighting.

First, it does not rely on stealing secrets. There is no password phish, no SMS interception, no direct authentication bypass. Everything happens inside the boundaries of the feature set that WhatsApp intended.

Second, the lure is highly plausible. For many users, the idea that “Facebook wants you to confirm something in WhatsApp” does not sound obviously wrong. Codes and QR scans have become part of everyday online life, especially on mobile.

Third, it creates persistent access. Linked devices do not disappear when the user closes a tab. They remain active until manually revoked. If there is no habit of checking the list of connected WhatsApp devices, an attacker can remain connected for a long time.

Finally, it opens the door to more than just simple spam. With access to full conversations and media, an attacker can learn how people talk, who is important to them, and what they might respond to. Voice notes and photos can later be reused in fraud attempts and impersonation, including deepfake enhanced scams, or extortion. 

In other words, this is a clear example of how social engineering and legitimate infrastructure can combine into a very effective compromise method.

Infrastructure and kit-like behavior

Looking at the domains and templates involved, there are strong signals that the GhostPairing Attack is driven by a reusable kit that attackers can buy and distribute rather than a one-off project.

The same layout appears across multiple domains. The same idea of a Facebook viewer repeats, with minimal changes. Domain names follow a similar pattern around photos and posts, with a mix of generic TLDs.

From an operational point of view, this is convenient. If one domain is blocked or reported, it can be discarded and replaced with another one using the same files. A buyer of such a kit can plug in their own configuration – for example text targeting a specific region or, as the scam propagates, text specific to an individual – and start sending lures.

What people can do to protect themselves

For individuals, the most important actions are simple and do not require technical knowledge.

First, it is worth checking which devices are currently linked:

• Open WhatsApp.
• Go to Settings → Linked Devices.
• Review the list of active sessions and log out of anything you do not recognise.

Doing this once will remove any sessions already created by this sort of scam. Doing it periodically helps catch future problems earlier.

Second, treat any request to scan a WhatsApp QR code or enter a numeric code from a webpage as suspicious. WhatsApp linking should happen from inside the app and in response to a deliberate action, not because some external site tells you that it is required to view a file.

Third, enabling Two Step Verification in WhatsApp adds an additional barrier to other kinds of account abuse. It is not a complete solution, but it reduces the range of what attackers can do once they are in.

Finally, sharing information about this kind of scam with family members and group chats is surprisingly effective. Many victims click because they have never heard of anything like this. Once people know that “I found your photo” messages can hide an account linking trick, they are less likely to follow the script.

What platforms could improve

While user awareness is essential, there are also changes that platforms can consider.

Clearer messaging around device linking would help. If users saw large, unavoidable text explaining that they are about to give a new device full access to all messages and media, some would hesitate.

Better context on linking and pairing events would also be useful. Showing device type, browser, approximate location, and the fact that the request originated from a website, not from the app, could nudge users to cancel when something feels off.

Rate limiting device linking attempts, especially those that involve many different phone numbers from the same infrastructure, would raise the cost for attackers. Auto revoking recent linked sessions when spam or abuse is confirmed on an account would shorten the window of exploitation.

None of these measures alone would eliminate such attacks, but together they would make them less attractive.

Beyond WhatsApp: pairing as a broader attack surface

GhostPairing is not just a quirky one off trick in a single app. It is a case study in what happens when a pairing flow is abused at scale. WhatsApp is a natural target, with billions of users and a growing role in everyday and business communication, but the pattern behind GhostPairing is more general.

Conceptually, the same risk exists anywhere you have:

1. A QR code, code entry screen, or approval prompt that lets a new device connect to an existing account.
2. A trusted primary device that scans or approves that request.
3. A resulting session that is long lived and largely invisible to the user.

If those three conditions line up, an attacker who can control the QR code or pairing prompt, and convince the victim to interact with it, has a realistic path to creating their own ghost device.

Many modern services follow this pattern in one form or another, from messaging apps with web or desktop clients, to collaboration tools, social platforms and account ecosystems that rely on “approve on your phone” prompts. Most of them add extra checks, such as device details, locations, or number matching, which makes abuse harder but does not change the basic dependency: a single distracted click or code entry on the primary device can grant an unknown session elsewhere.

We are not claiming that GhostPairing style campaigns are already running across all these ecosystems. What we can say is:

• The design pattern that made GhostPairing possible is not unique to WhatsApp.
• Any platform that combines very easy pairing with low visibility of linked devices gives attackers something to work with.

In that sense, GhostPairing should be read as a warning, not just a WhatsApp incident. The more our digital lives depend on quick QR scans and “approve on your phone” flows, the more important it becomes to design these steps so that a single moment of inattention does not quietly create a ghost device that lives in the background for months.

Conclusion

The campaign described here illustrates a subtle shift in how some attackers operate. Instead of breaking cryptography or circumventing authentication, they use the product as designed and persuade users to cooperate at just the right moment.

By abusing WhatsApp’s device linking features and wrapping them in a familiar looking flow, they achieve a clean and persistent account compromise with minimal technical work.

The technique is not limited to one country or one platform. Any service that allows device pairing through QR codes or numeric codes is a potential candidate for similar abuse.

GhostPairing Attacks are a good example of how social engineering and legitimate features combine into very effective compromises. The attacker never breaks encryption, they simply convince the user to invite them in as a linked device.

The good news is that the defense is well within reach. A combination of user awareness, simple hygiene checks and modest platform changes can significantly reduce the impact of this type of scam.