GhostPairing is the kind of WhatsApp attack that feels unfair, because it skips the usual warning signs like one-time passwords or SIM swaps and goes straight for your chats. Instead of stealing your code, attackers quietly attach their own device to your account and start reading and sending messages as if they were you. The good news is that the same feature GhostPairing abuses can be locked down with a few deliberate settings changes and regular checks.
If you understand how WhatsApp’s device linking works, you can spot the red flags before someone else slips into your conversations. I will walk through how the scam operates, why it is so effective, and the specific steps in WhatsApp’s menus that cut off the attack before it starts.
What GhostPairing actually is
GhostPairing is a campaign that targets WhatsApp’s multi-device feature, turning a convenience tool into a stealthy hijack. Instead of trying to clone your SIM card or trick you into sharing a one-time password, the attackers use WhatsApp’s own pairing flows to add a new device that quietly mirrors your account. Once that link is in place, they can see your messages, send new ones, and monitor your contacts without ever touching your phone again.
Security researchers describe GhostPairing as a way to move “from phone number to full access” by abusing the same mechanism that lets you use WhatsApp on a laptop or secondary phone. The attack focuses on the device-linking process, which is normally meant to be safe and transparent, and twists it into a channel for long term spying and fraud. Because there is no obvious OTP prompt or SIM activity, many victims do not realize anything is wrong until contacts start receiving strange messages in their name.
How WhatsApp’s linking feature became an attack surface
WhatsApp’s multi-device system was designed to make life easier, not riskier. In normal use, you open WhatsApp Web or the desktop app, scan a QR code, or enter a pairing code, and your chats appear on a second screen so you can type from a keyboard or keep working on a tablet. That same flow also supports linking via phone number and a numeric code, which is meant to help people who cannot easily scan QR codes but still want their account on another device.
GhostPairing turns that flexibility into a liability. By abusing pairing flows that were supposed to be user friendly, attackers can link a device that behaves just like a legitimate companion app. Users can scan a QR code displayed on a computer screen, or link via phone number and a numeric code, and GhostPairing leans on those same options to slip past people who are used to seeing WhatsApp on multiple screens. The result is that a feature built for convenience doubles as a powerful surveillance and impersonation tool when it is misused.
Why GhostPairing feels invisible to victims
Most WhatsApp users have been trained to worry about OTPs and SIM swaps, not about the quiet list of linked devices buried in the app’s settings. GhostPairing exploits that mental model. The method avoids the usual triggers that make people suspicious, and instead relies on the fact that many of us rarely check which browsers, laptops, or phones are attached to our account. Once a rogue device is linked, it can sit there for weeks, silently syncing messages and contacts.
Researchers note that the GhostPairing method avoids suspicion, relies on weak device hygiene, and becomes far more dangerous when users have not enabled two step verification or shared basic security awareness with family and colleagues. Because there is no SMS code to steal and no SIM activity to trace, traditional mobile security advice does not catch the problem. That is why GhostPairing can feel like a ghost in your account, present in every conversation but almost never seen.
From phone number to full account control
At the core of GhostPairing is a simple but powerful idea: if you can convince WhatsApp that your device is a trusted companion, you inherit almost everything the real owner can do. Attackers start with a target’s phone number, then work to trigger a pairing flow that lets them attach a new device. Once that succeeds, the linked device receives message history, ongoing chats, and the ability to send and receive messages as if it were the original phone.
One analysis describes GhostPairing as a path from phone number to full access, with attackers abusing WhatsApp’s device-linking feature to hijack accounts via pairing codes. Once the link is in place, they can read private conversations, reset settings, and use the account to push phishing links or payment requests to friends and family. In effect, the attacker’s device becomes a shadow copy of your WhatsApp, inheriting your identity in every chat where people trust your name and profile photo.
No OTP, no SIM swap, and why that matters
Traditional WhatsApp scams usually revolve around tricking you into sharing a one-time password or taking control of your phone number through a SIM swap. GhostPairing sidesteps both. There is no OTP prompt that makes you pause, and no need to convince a mobile carrier to move your number. That makes the attack cheaper, faster, and easier to scale, because it depends more on social engineering and overlooked settings than on high risk telecom fraud.
Security explainers on the campaign emphasize that no OTP, no SIM swap is not a reassuring phrase in this context, it is the warning label. A new scam dubbed Ghostpairing is targeting WhatsApp users by hijacking accounts without OTPs or SIM swaps, which means the usual advice to “never share your code” is necessary but not sufficient. If you assume that your account is safe simply because you never forwarded a six digit code, GhostPairing is designed to prove you wrong.
How attackers abuse pairing flows in practice
To turn theory into compromise, attackers need to get through WhatsApp’s pairing process, which was meant to be interactive and user controlled. In practice, that can involve tricking a victim into scanning a QR code that looks like a normal login prompt, or manipulating them into entering a numeric pairing code that actually binds their account to the attacker’s device. Social engineering plays a central role, with lures that mimic support messages, job offers, or urgent requests from contacts whose accounts are already compromised.
Technical write ups describe how attackers abuse WhatsApp’s device-linking feature to hijack accounts via pairing codes in the GhostPairing campaign. Once the victim completes what they think is a routine login or verification step, the attacker’s device is treated as a legitimate companion. From that point on, the attacker can operate independently, with no need to keep messaging the victim or asking for additional approvals. The initial trick is the only human interaction required.
How to check if your WhatsApp has a ghost device
The most important defensive habit against GhostPairing is also the simplest: regularly review which devices are linked to your WhatsApp account. On the mobile app, you can do this by opening WhatsApp, going to Settings, and tapping Linked Devices. That screen shows every browser, desktop app, or secondary phone that currently has access to your chats, along with basic information about when each one was last active.
Security guidance on GhostPairing spells out the steps clearly: What people can do to protect themselves
Locking down your account with layered defenses
Checking Linked Devices is only one part of a broader defense. To make GhostPairing much harder, you should enable WhatsApp’s two step verification, which adds a PIN that attackers need even if they manage to trigger a pairing flow. That extra layer means that a stolen phone number or a successful social engineering attempt is not enough on its own to grant full access to your account.
Researchers who have studied GhostPairing stress that the campaign thrives when users skip basic protections like two step verification and do not share security awareness with people around them. The same analysis that details how the method avoids suspicion also highlights that enabling two step verification and talking openly about scams with friends, family, and colleagues can sharply reduce the pool of easy targets. In other words, your own settings matter, but so does the security culture in your group chats.
Everyday habits that make GhostPairing less likely
Beyond specific WhatsApp toggles, a few everyday habits can blunt the impact of GhostPairing and similar scams. Treat any unexpected request to scan a QR code or enter a numeric code with skepticism, especially if it arrives through WhatsApp itself. If someone claims to be from support, a bank, or a delivery service and asks you to complete a “verification” step inside WhatsApp, stop and contact the organization through an official channel instead.
It also helps to normalize quick checks before acting. If a friend suddenly messages from WhatsApp asking for money, sensitive documents, or login details, verify through a voice call or a different app like Signal or regular SMS. Because GhostPairing turns compromised accounts into launchpads for more scams, a single cautious phone call can break the chain. The more you build those habits into your daily messaging, the less room campaigns like GhostPairing have to operate.
More from MorningOverview