GhostPairing Social Engineering Attack Enables WhatsApp Account Takeover
A new WhatsApp account takeover campaign, dubbed the GhostPairing attack, leverages social engineering to trick users into granting attackers access to their accounts without requiring password theft or SIM swapping. Victims receive a message from a trusted contact, typically stating "Hey, I just found your photo!" and containing a link that appears to be a Facebook preview. When the link is clicked, users are directed to a convincing fake Facebook page that prompts them to "verify" their identity. This process covertly guides the victim through WhatsApp's device-linking flow, resulting in the attacker's device being added as a linked device on the victim's account.
The attack exploits WhatsApp's legitimate device pairing feature, making the compromise appear as a user-approved action. The campaign was first observed in Czechia, with messages sent from compromised accounts to local contacts, and the infrastructure relies on a network of lookalike domains designed to mimic Facebook. Security researchers emphasize that there is no password theft or SIM swap involved; instead, the attack relies entirely on user manipulation. Users are advised to be cautious of unexpected messages, even from known contacts, and to scrutinize any requests to verify or link devices within WhatsApp.
Timeline
Dec 15, 2025
Gen Digital discloses the GhostPairing WhatsApp takeover technique
Gen Digital publicly disclosed the GhostPairing attack, describing how attackers can gain persistent access to WhatsApp accounts without stealing passwords or performing SIM swaps. The disclosure detailed the campaign's propagation through compromised accounts, use of lookalike domains, and the broader risk posed by similar pairing flows on other platforms.
Dec 15, 2025
GhostPairing campaign first observed targeting WhatsApp users in Czechia
Gen Digital reported first observing a WhatsApp account-takeover campaign in Czechia that abused the platform's legitimate linked-device pairing flow. The attack used messages from compromised contacts and fake Facebook/Meta-themed pages to trick victims into linking an attacker-controlled device.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Organizations
Sources
1 more from sources like gen insights research blog
Related Stories
Global WhatsApp Account Hijacking Campaign via Social Engineering
A rapidly expanding WhatsApp account hijacking campaign, dubbed HackOnChat by CTM360, is targeting users worldwide through a network of deceptive authentication portals and impersonation pages. Attackers exploit WhatsApp's web interface and use social engineering tactics, such as fake security alerts and spoofed group-invite messages, to trick users into compromising their accounts. The campaign leverages thousands of malicious URLs hosted on inexpensive domains, with a surge in activity noted across the Middle East and Asia. Once an account is compromised, attackers use it to target the victim's contacts for further scams, data theft, and extortion, often propagating the attack chain through phishing messages sent from the hijacked account. Research from UC San Diego highlights the broader social engineering strategies employed by scammers, including the use of long, trust-building conversations that often transition to WhatsApp as the preferred platform for executing fraud. The study found that scammers typically delay financial requests until after extensive interaction, using personal conversation and subtle verification techniques to build credibility. These findings underscore the effectiveness of WhatsApp as a tool for scammers and the sophistication of their methods in orchestrating account takeovers and subsequent fraudulent activities.
1 months ago
Mobile Messaging Account Compromises and Spyware Threats
Security researchers and intelligence analysts have documented a series of incidents and trends highlighting the risks to mobile messaging accounts and devices. In December, a new form of WhatsApp account hijacking called GhostPairing was identified, where attackers trick users into linking an attacker-controlled browser to their WhatsApp device, potentially exposing sensitive information. Separately, researchers uncovered large-scale scraping of WhatsApp's contact discovery tool, resulting in the exposure of billions of phone numbers and associated profile data. Meanwhile, spyware threats targeting both iPhone and Android users have escalated, with zero-click attacks enabling adversaries to compromise devices and access encrypted messaging apps such as WhatsApp and Signal. Apple and Google responded by patching vulnerabilities believed to be exploited by commercial spyware like Predator, and the US CISA issued warnings about the active targeting of mobile messaging applications. In another high-profile case, the Iranian-linked Handala hacking group claimed to have fully compromised the mobile devices of two Israeli officials. However, forensic analysis revealed that only their Telegram accounts were breached, not the entire devices. The attackers likely used techniques such as SIM swapping, SS7 exploitation, and phishing to gain access, exposing gaps in session management and account security on encrypted messaging platforms. These incidents underscore the growing sophistication of attacks against mobile messaging services and the need for robust security measures, including privacy controls, passkey-encrypted backups, and vigilance against phishing and SIM-based attacks.
1 months ago
Social Engineering Scams Exploiting Mobile Device Features to Steal Credentials and Funds
Cybercriminals are increasingly leveraging built-in features of popular mobile platforms to execute sophisticated social engineering scams aimed at stealing sensitive credentials and financial assets. On WhatsApp, scammers exploit the screen-sharing function by impersonating trusted entities such as bank employees or support agents, coercing victims into sharing their screens under the pretense of resolving urgent security issues. This access enables attackers to view and capture one-time passwords (OTPs), banking details, and other personal information, resulting in significant financial losses. In response, Meta has introduced AI-powered safety tools, including real-time warnings when users attempt to share their screens with unknown contacts, to mitigate these attacks. Similarly, iPhone users are being targeted through phishing campaigns that exploit the "Find My" feature. After a device is lost or stolen, scammers send convincing fake messages—purportedly from Apple Support—containing links that claim to help locate the missing phone. By leveraging accurate device details and the victim's sense of urgency, attackers trick users into divulging their Apple ID credentials, potentially granting full access to personal data and accounts. Authorities such as Switzerland’s National Cyber Security Centre have issued warnings about these tactics, emphasizing the need for heightened vigilance when responding to unsolicited messages related to lost devices.
1 months ago