GhostPairing: The WhatsApp Scam That Doesn't Need Your Password
A new account takeover technique is spreading across Europe — no password, no SIM swap, no hacking in the traditional sense. Attackers exploit WhatsApp's own device-linking feature to silently install a ghost session on your account. And AI makes the aftermath significantly worse.
What is GhostPairing?
GhostPairing is a WhatsApp account takeover method first detected by researchers at Gen Digital — the company behind Avast and Norton — spreading through WhatsApp in Czechia in late 2025. Since then it has been confirmed to work in any language, in any country.
The attack doesn't exploit a software vulnerability. It abuses WhatsApp's own device-linking feature: the same tool that lets you read your messages on a laptop. Instead of breaking in, attackers trick you into opening the door yourself.
Once inside, attackers have access to your voice notes, photos, and message history — everything needed to build an AI-powered impersonation of you or your contacts.
How the attack unfolds
GhostPairing moves in four steps, each one designed to feel completely normal.
-
1
A message from someone you trust
The attack starts with a casual WhatsApp message from a contact you know: "Hey, I just found your photo online!" The contact is real — their account has already been compromised, which is exactly why you don't hesitate. The message includes a link that renders as a Facebook-style preview inside WhatsApp. In observed attacks, URLs imitated Facebook with paths like
/login/post.comor/login/facepost.com— close enough to look legitimate at a glance. -
2
A fake Facebook login page
Tapping the link opens a page styled exactly like Facebook: same colours, same logo, same layout. You're asked to enter your phone number to "verify your identity" before viewing the photo. This is not Facebook. The moment you submit your number, it's forwarded to WhatsApp's real "link device via phone number" endpoint — triggering an authentic device-pairing request behind the scenes.
-
3
A code that hands over your account
WhatsApp sends a numeric pairing code to the requesting device — in this case, the scam site. The fake page displays that code and tells you to open WhatsApp and type it in to "confirm your login." It looks and feels exactly like a standard two-factor verification step. Many people complete it without a second thought.
-
4
A ghost device, active and invisible
When you enter the code, WhatsApp registers the attacker's browser as a linked device on your account. Your phone keeps working normally. No alert, no notification, nothing to suggest anything has changed. The attacker now has a persistent, invisible session that stays active until you manually remove it.
What attackers can do once they're in
A linked browser session has the same capabilities as any WhatsApp Web connection. That means:
Read messages in real time
Every conversation — personal, family, business — is visible as it arrives.
Access synced history
Everything that has ever been backed up to the account, not just current messages.
Download all media
Photos, videos, and voice notes shared in any chat are fully accessible.
Send messages as you
To friends, family, and groups — spreading the lure to your entire contact list.
The snowball effect is one of the most dangerous properties researchers noted: every compromised account is immediately used to target its own contacts. A single successful attack can reach thousands of people within hours.
Why GhostPairing is more dangerous in 2026
This is where it moves beyond a standard phishing scam. Access to your WhatsApp gives attackers everything they need to build a convincing AI impersonation: your voice from voice notes, your face from photos and videos, your writing style from text history, and your social graph from group chats and contact names.
That raw material feeds directly into AI voice-cloning and deepfake video tools to create fake messages, fake calls, and fake videos that sound and look like you — or like people your contacts trust.
A WhatsApp account compromise is increasingly the first step in a broader fraud chain, not the end of it.
At UncovAI, we've documented this pattern across multiple scam campaigns. The voice note someone receives from "you" asking for an urgent bank transfer. The video call where "you" appear distressed and need money. The account takeover is the setup; the AI-generated content is the punchline.
What to do if you've been compromised
Act quickly. The attacker's linked device stays active until you manually remove it — it doesn't disappear when you close the browser or restart your phone.
1. Remove unknown linked devices
Open WhatsApp → Settings (or tap ⋮) → Linked Devices → review every active session → tap and log out of anything you don't recognise.
2. Warn your contacts immediately
Message your contacts and groups to let them know your account was compromised. Tell them not to click any links they received from you recently.
3. Enable two-step verification
Go to WhatsApp → Settings → Account → Two-step verification. This adds a PIN required when registering your number on a new device. It won't block GhostPairing directly — since the attack uses the legitimate pairing flow — but it significantly raises the cost of broader account abuse.
4. Watch for follow-on scams
Anyone who accessed your messages now knows a great deal about you and the people you're close to. Be alert to unusual requests from contacts, unexpected calls, or any communication that seems slightly off. It may have been generated using AI trained on what was taken from your account. The UncovAI scam and deepfake detector can help you check suspicious content before you act on it.
5. Verify suspicious media
If you receive a voice note, video, or image through WhatsApp that seems unusual — even from a trusted contact — you can check it without leaving WhatsApp. Send the file directly to @uncovai_bot on WhatsApp and get an instant AI detection result. You can also upload it at uncovai.com for a full analysis.
How to protect yourself before an attack happens
Never enter a WhatsApp pairing code because a website tells you to. Device linking should only happen when you initiate it yourself inside WhatsApp.
Check your linked devices regularly. WhatsApp → Settings → Linked Devices. This takes ten seconds and will tell you immediately if something is wrong.
Treat unexpected links with caution, even from people you know. If a trusted contact's account is already compromised, the lure arrives from their real number — not a stranger's.
Question any "verify before viewing" prompt. No legitimate service requires you to enter a WhatsApp code on an external website. If a page asks for it, close the tab.
For anything suspicious that reaches you — voice, video, or image — the UncovAI browser extension lets you run detection checks without leaving your current tab.
Why this is spreading fast
GhostPairing was first detected in Czechia but has no language barrier. The lure text is short, the fake login page is trivial to re-skin in any language, and the underlying kit is commercially available — meaning low-skill actors can purchase and deploy it at scale.
WhatsApp's 3.5 billion global users and its dominant position in European, South American, and South Asian messaging make it an exceptionally attractive target. Add the snowball propagation model and the AI-powered follow-on fraud layer, and you have one of the more dangerous social engineering chains currently in circulation.
Frequently asked questions
Does GhostPairing steal my WhatsApp password?
No. It never needs your password. It abuses WhatsApp's own device-linking feature by tricking you into approving it yourself.
Will two-step verification stop this attack?
Two-step verification adds meaningful protection against other account takeover methods, but it doesn't directly block GhostPairing, because the attack uses WhatsApp's legitimate pairing flow rather than trying to register your number on a new device. It's still worth enabling — it raises the cost of broader account abuse significantly.
How do I know if my account has already been compromised?
Go to WhatsApp → Settings → Linked Devices. If you see any device you don't recognise — especially a browser session you didn't add — remove it immediately and warn your contacts.
Can AI make GhostPairing attacks worse?
Yes. Attackers who access your account gain access to voice notes, photos, and personal messages that can be used to train AI impersonation tools. This enables deepfake voice calls, AI-generated video messages, and highly targeted social engineering against your family or colleagues.
How can UncovAI help?
UncovAI detects AI-generated and manipulated media — video, image, and audio. If you receive suspicious content through WhatsApp or any other channel, you can upload it at uncovai.com to check whether it is authentic.
Don't wait to find out the hard way
GhostPairing requires no technical skill to deploy, leaves no obvious trace, and turns your own contacts into unwitting accomplices. The best defence is knowing what to look for — and having the tools to verify what you're seeing. If you receive suspicious media through WhatsApp, run it through UncovAI before acting on it.
Try UncovAI Free →Sources: Gen Digital research (December 2025), Avast Security Blog, SC Media, Security Affairs, CSO Online.
This article was produced by the UncovAI editorial team. UncovAI is an AI deepfake detection platform used by individuals, enterprises, and journalists across Europe and beyond.