Hackers have found a way to quietly take over WhatsApp accounts without touching passwords, SMS codes, or the app’s end-to-end encryption. Instead of breaking crypto, they are abusing a legitimate feature that lets users link their phones to browsers and companion devices, turning convenience into a powerful attack surface. The result is a new wave of account hijacks that feel almost invisible until the damage is done.
Security researchers and government agencies now warn that this technique, widely referred to as GhostPairing, can give intruders full access to chats, contacts, and group conversations while victims keep using WhatsApp as if nothing is wrong. I see it as a textbook example of how modern attacks increasingly target the seams between usability and security rather than the cryptography at the core.
GhostPairing: the WhatsApp hack that sidesteps authentication
The most unsettling detail about GhostPairing is that it does not require cracking passwords, intercepting SMS codes, or breaking encryption at all. Instead, Hackers exploit WhatsApp’s device-linking workflow so they can hijack accounts without ever defeating the underlying authentication, which means traditional advice about strong passwords or avoiding code sharing is not enough on its own. According to one detailed warning, Hackers can hijack WhatsApp accounts without any need to crack the authentication, turning a trusted feature into a stealthy backdoor.
What makes this so effective is the way it piggybacks on a familiar user journey. People are used to scanning QR codes to open WhatsApp Web on a laptop or to link a secondary device, so a prompt to “verify” or “reconnect” rarely triggers suspicion. In GhostPairing campaigns, attackers lean on that muscle memory, guiding victims into completing the official pairing process themselves, which then silently grants the intruder a persistent session that looks indistinguishable from a legitimate linked device.
How attackers abuse device linking to hijack accounts
At the core of GhostPairing is a simple idea: if you can trick someone into pairing your browser or emulator as their device, you inherit their WhatsApp session. Attackers abuse WhatsApp’s device-linking feature by generating pairing codes on their own systems and then persuading targets to scan those codes as if they were part of a normal login or support flow. Security researchers describe how Attackers abuse WhatsApp’s device-linking process to connect malicious instances of WhatsApp Web rather than any account owned by the victim.
Once the pairing is complete, the attacker’s device is treated as a fully trusted endpoint. Messages sync in real time, media downloads as usual, and the intruder can send or delete chats just like the account owner. Because the feature is designed for multi-device use, there is no obvious alert that a stranger has joined the party, and the victim’s phone continues to function normally. That quiet persistence is what turns a single successful pairing into a long term foothold inside someone’s private conversations.
A global campaign, from India’s CERT to CTM360’s findings
The scale of GhostPairing has pushed national agencies and private researchers to sound the alarm. In India, the national Computer Emergency Response Team, known as CERT, has warned that the vulnerability could let Hackers gain full control of WhatsApp accounts used by citizens across the country. The advisory, framed as a ‘GhostPairing’ Warning, underscores that India’s CERT sees the campaign as serious enough to merit national attention, not just a niche technical flaw.
Private threat intelligence firms have reached similar conclusions about the breadth of the operation. Researchers at CTM360 describe a global hijacking effort that relies on polished phishing infrastructure, including fake support pages and portals that mimic WhatsApp’s own branding. They note that These sites are further optimized for global reach, with multilingual support and a country-code selector that adapts the lure to local users. That level of localization suggests a professionalized operation rather than opportunistic one-off scams.
Social engineering: the real weapon behind GhostPairing
Technically, GhostPairing leans on a legitimate feature, but the real weapon is persuasion. Threat actors are not brute forcing anything, they are convincing people to complete the pairing on their behalf. A recent ThreatsDay analysis describes how Threat actors are using a new social engineering technique that frames the pairing request as a security check, a support step, or even a requirement to avoid account closure. According to that research, Threat actors are using a new social engineering technique that has already been detected in multiple regions, including Czechia.
What I find striking is how closely this mirrors older scams that asked users to forward SMS codes, only now the payload is a QR code or pairing prompt instead of a six digit number. The psychology is the same: create urgency, impersonate authority, and exploit the fact that most people do not fully understand how device linking works under the hood. By the time a victim realizes that no legitimate support agent should ever need them to scan a code on an unknown website, the attacker’s browser is already logged in as their WhatsApp.
Inside the ‘GhostPairing’ label and India’s public warning
The term GhostPairing itself comes from the way the attack adds an invisible companion device that shadows the victim’s activity. India’s CERT chose that name in an advisory that explains how the campaign tricks users into linking an attacker controlled device to their account. The guidance, summarized by local technology reporters, notes that the ‘GhostPairing’ attack tricks users into granting full access to their WhatsApp accounts, including private and group chats.
India’s mainstream coverage has amplified that message, with TOI, the Tech Desk, and TIMESOFINDIA, COM all highlighting the risk to ordinary users and the steps needed to stay safe. One widely shared explainer stresses that the Indian computer emergency response team is not dealing with a theoretical bug but with active exploitation in the wild. It also notes that the advisory was Updated by the TOI Tech Desk at 20:40 IST, a reminder that officials and journalists are iterating their guidance as more details emerge.
Quiet hijacks: why victims often do not notice
One of the most dangerous aspects of GhostPairing is how little it disrupts the victim’s day to day use of WhatsApp. Unlike classic account takeovers that log the original device out, this method leaves the phone connected and functioning normally while the attacker reads and sends messages from a linked session. Security analysts describe how WhatsApp accounts are quietly hacked by GhostPairing through the app’s official device pairing process, which means there are no obvious red flags like repeated login prompts or missing chat history.
That quietness gives attackers time to do more than just lurk. With full access, they can impersonate the victim in one to one chats, harvest sensitive information from group conversations, or pivot into financial scams that target friends and family. Because the messages originate from the real account, recipients are far more likely to trust requests for money, one time passwords, or confidential documents. By the time someone notices unusual activity, the intruder may have already exfiltrated months of conversation history and used the account as a launchpad for further fraud.
How to spot and disconnect rogue linked devices
The good news is that GhostPairing is not unstoppable, especially if users know where to look. WhatsApp includes a dashboard that lists all active linked devices, and checking it regularly is one of the simplest ways to catch an intruder. Practical guides explain that to see if someone has access to your account via WhatsApp Web, you should open the app on your phone, go to the menu, and review the list of connected sessions. As one step by step tutorial puts it, To check if someone has access via Web you can disconnect it immediately from that screen.In my view, that device list should become as routine a check as reviewing app permissions or bank statements. If you see a browser or system you do not recognize, especially one tied to a location you have never visited, you should revoke it on the spot and then change your phone’s lock code and any associated email passwords. It is also worth enabling additional safeguards like two step verification inside WhatsApp, which adds a PIN that attackers would need if they ever tried to re register your number on a new phone.
Recovering a hijacked WhatsApp account
For those who have already lost control of their account, recovery is still possible, but it requires acting quickly and methodically. Security experts advise starting by reinstalling WhatsApp on your own device and attempting to re verify your phone number, which can kick out unauthorized sessions. If that fails, you may need to contact WhatsApp support directly and provide proof of ownership, such as the original SIM card or associated email address. One consumer focused guide notes that If you have lost access to your WhatsApp account you can restore it by following the official recovery steps, even when someone else is currently using your account.
I would also treat a confirmed GhostPairing incident as a broader security breach, not just a messaging glitch. If an attacker has been reading your chats, they may have seen copies of IDs, bank details, or login links that could be abused elsewhere. After regaining control, it is worth reviewing recent conversations for any signs of impersonation, warning close contacts that your account was compromised, and resetting passwords for any services discussed in those chats. The goal is to close off secondary risks that extend beyond WhatsApp itself.
Why GhostPairing matters for the future of secure messaging
GhostPairing is a reminder that secure messaging is about more than encryption protocols and marketing promises. WhatsApp’s end to end encryption still does its job, but it cannot protect users from attacks that operate at the device level or exploit human behavior. When Hackers can gain full control of an account simply by persuading someone to scan the wrong code, the real battleground shifts to interface design, user education, and the guardrails around powerful features like device linking. That is why India’s CERT, CTM360, and other researchers are treating this as a structural issue rather than a one off scam.
Looking ahead, I expect messaging platforms to rethink how they present pairing flows, perhaps by adding clearer warnings when linking to unfamiliar domains, stronger anomaly detection for suspicious Web sessions, or time limited approvals that require periodic confirmation on the primary phone. Until then, the most effective defense is awareness: understanding that GhostPairing exists, recognizing that no legitimate support agent will ever ask you to scan a QR code on an external site, and making a habit of pruning your list of linked devices. In a world where Social engineering keeps evolving faster than most people’s security instincts, that kind of informed skepticism is as important as any technical fix.
More from MorningOverview