WhatsApp 'Ghost Pairing' Attack: New Social Engineering Threat Hijacks Accounts

A new and highly effective social engineering campaign is targeting WhatsApp users worldwide, leveraging the app's legitimate device-linking feature to orchestrate complete account takeovers. Dubbed the 'Ghost Pairing' attack, this scheme has prompted official high-severity advisories from Indian cybersecurity agencies and is linked to a broader, psychologically manipulative scam known as 'Digital Arrest.'

The attack chain exploits the multi-device and WhatsApp Web pairing functionality. Threat actors, often operating from call centers, initiate contact by impersonating law enforcement officials (such as the Narcotics Control Bureau or police), bank security personnel, or Meta technical support. Using fabricated narratives—claiming the victim's number is involved in money laundering, drug trafficking, or that their account is compromised—they create a sense of urgency and fear.

The core of the scam involves tricking the victim into revealing critical authentication codes. The attacker guides the victim to the 'Linked Devices' section within WhatsApp settings and instructs them to initiate a 'Link a Device' scan, which generates a QR code. Alternatively, the attacker may socially engineer the victim to reveal the 8-digit pairing code displayed on their screen. In some variants, the victim is coerced into sharing the 6-digit SMS registration OTP sent by WhatsApp, which is a primary recovery mechanism.

With this code, the attacker can pair their own malicious device to the victim's WhatsApp account via WhatsApp Web. This 'ghost' device then gains full, persistent access to the account. Crucially, this access bypasses end-to-end encryption because the linked device becomes a trusted endpoint. The attacker can read all past and future messages in personal and group chats, access contact lists, and send messages impersonating the victim. This can lead to further fraud, identity theft, and financial scams targeting the victim's contacts.

The 'Ghost Pairing' attack is frequently a component of the more extensive 'Digital Arrest' scam. In these cases, after establishing control, the fraudsters use video calls to masquerade as police, convincing victims they are under investigation or arrest. They are then instructed to remain isolated on camera for extended periods—a 'digital arrest'—while the attackers exploit their seized WhatsApp account to extort money from family and friends by fabricating emergencies.

From a technical security perspective, this attack highlights a critical distinction: it exploits a legitimate feature through user manipulation, not a software vulnerability in WhatsApp's protocol. The platform's encryption remains intact, but the trust model is broken once an unauthorized device is paired. This places the defense burden squarely on user awareness and behavior.

Mitigation and recommendations for individuals and organizations are clear. The cardinal rule is never to share WhatsApp verification codes (SMS OTPs), QR codes, or 8-digit pairing codes with anyone, regardless of their claimed authority. Users should regularly review their linked devices in WhatsApp Settings > Linked Devices and log out from any unfamiliar sessions. Enabling two-step verification within WhatsApp adds an essential extra layer of security, requiring a PIN even if an attacker obtains the SMS code.

For enterprise security teams, this threat underscores the need to update security awareness training to include these specific tactics. Employees using WhatsApp for business communication are high-value targets. Policies should reinforce that no legitimate organization will ever request authentication codes over the phone or via message.

The emergence of 'Ghost Pairing' represents an evolution in social engineering, moving beyond simple phishing to the manipulation of core application functionalities. It serves as a stark reminder that in security, the human element often remains the most exploitable link, even when cryptographic foundations are sound. Continuous education and a culture of verification are paramount defenses against such personalized, high-pressure attacks.