Criminal networks are exploiting WhatsApp’s own security features to hijack accounts without stealing passwords, creating a viral “snowball” effect that spreads through trusted family and friends networks.
Story Highlights
- GhostPairing scam tricks users into voluntarily linking attackers’ devices to their WhatsApp accounts
- Attackers gain invisible access to all messages, photos, and contacts without victims knowing
- Scam spreads through compromised contacts, making fake messages appear trustworthy
- Meta banned 7 million accounts in first half of 2025, but attacks continue using legitimate features
How the GhostPairing Attack Works
The GhostPairing scam begins when victims receive seemingly innocent messages from compromised contacts, such as “Hey, I just found your photo!” with a fake Facebook preview link. Clicking the link leads to a convincing phishing page that mimics a photo viewer, prompting users to enter their phone number and a pairing code generated by WhatsApp. This process effectively adds the attacker’s browser as a linked device, granting them full read and write access to the victim’s account without any password theft or SIM card swapping.
Unlike traditional hacking methods, this attack exploits WhatsApp’s legitimate device-linking feature, which was designed for user convenience to allow multi-device access. The entire compromise takes just minutes and leaves victims’ phones functioning normally, making detection extremely difficult. Attackers maintain persistent “ghost” access to historical chats and media, positioning themselves for future extortion or deepfake creation using stolen personal content.
Researchers uncovered GhostPairing, a social engineering attack that links a malicious device to a WhatsApp account by abusing the official pairing flow.
The attacker gets full linked-device access—messages, media, and groups—while the victim’s phone keeps working as normal.
— The Hacker News (@TheHackersNews) December 19, 2025
Viral Snowball Effect Threatens Conservative Networks
The attack’s most dangerous aspect lies in its viral propagation through trusted social networks. Once criminals compromise one account, they immediately send lure messages to all contacts in that person’s network, leveraging existing relationships to build credibility. This “snowballing” effect particularly threatens conservative communities that rely heavily on family group chats and trusted friend networks for sharing news and coordinating activities.
Gen Digital researchers warn that this attack “expands like a snowball” because it exploits the very trust that binds conservative families and communities together. Traditional spam filters prove ineffective since messages originate from legitimate, previously trusted contacts. The scam thrives in regions with high WhatsApp penetration, including the United States, where family communication increasingly depends on messaging platforms.
Meta’s Response Falls Short of Real Solutions
Meta shut down approximately 7 million scam-linked WhatsApp accounts in the first half of 2025, targeting multi-operational criminal networks involved in cryptocurrency and pyramid schemes. The company also rolled out screen-sharing alerts for unknown contacts and issued warnings about upfront payment scams. However, these reactive measures fail to address the fundamental vulnerability that GhostPairing exploits.
Security experts note that Meta’s enforcement power remains limited to post-detection responses, while criminals continue exploiting legitimate platform features. The company’s statement acknowledging “criminal syndicate-run scam centers” reveals the scale of organized crime targeting WhatsApp users, yet no fundamental redesign of the device-linking feature has been announced. This reactive approach leaves American families vulnerable to ongoing attacks that abuse the platform’s own security infrastructure.
Conservative users should immediately check their WhatsApp “Linked Devices” settings and remove any unfamiliar connections. Simply logging out may not revoke attacker access, making regular device audits essential for protecting family communications. This attack underscores how big tech platforms prioritize convenience over security, leaving users to defend themselves against sophisticated criminal operations that exploit the very features meant to help them.
https://youtu.be/QZ5a973he5o?si=vur7uhl-cw_mY2cK
Sources:
GhostPairing Attacks: From Phone Number to Full Access in WhatsApp
Common WhatsApp Scams and How to Avoid Them
WhatsApp Issues Warning Over Latest Money-Stealing Con Trick
WhatsApp Scams
Meta Bans Millions of WhatsApp Accounts
