Scam Awareness

How WhatsApp GhostPairing Hijacks Your Account in 2026

CERT-In flagged WhatsApp GhostPairing on 19 December 2025. Scammers hijack accounts via linked-device pairing. How it works and how to defend yourself.

SS&AK
Sai Samarth & Ashok Kamat
Cyber Secify
11 min read

WhatsApp GhostPairing is an account takeover technique flagged by CERT-In on 19 December 2025 (advisory CIAD-2025-0055). Scammers send a message from an already-hijacked contact saying “Is this you in this photo?” with a link. The link leads to a fake photo-viewer site (photobox.life, yourphoto.world, fotoface.top) that asks for your phone number, then triggers a real WhatsApp linked-device pairing using the 8-digit code. Once you enter the code, the attacker is silently linked to your account and reads every incoming message, including banking OTPs. The defence: enable two-step verification, never enter your phone number on a “view photo” link, and audit Settings > Linked devices weekly.

Who this is for

Anyone in India who uses WhatsApp. The attack hits everyday users via the photo-lure pretext, but the real damage potential is highest for founders, finance staff, business owners, and anyone whose WhatsApp receives banking OTPs or work-sensitive messages. GhostPairing is technical enough to fool careful people because the linked-device feature it abuses is a real, documented WhatsApp feature. The victim is approving a real WhatsApp prompt, just not the one they think they are.

How WhatsApp linked devices actually work

WhatsApp’s “Linked devices” feature is the legitimate way to use the same account on a desktop browser, a tablet, or a second phone. From WhatsApp’s official documentation (About linked devices, How to link a device):

  1. You open WhatsApp Web on a browser, or the WhatsApp Desktop app, or another device.
  2. The browser/desktop displays a QR code AND an option to receive an 8-digit pairing code by phone number.
  3. On your primary phone you scan the QR (or enter the 8-digit code in Settings > Linked devices > Link a device).
  4. Pairing completes. The new device starts receiving every message your phone receives. End-to-end encryption is preserved per device.

Linked devices stay active until you explicitly log them out. WhatsApp does not send a security warning before showing future incoming messages on a linked device. This last point is what GhostPairing exploits.

The GhostPairing attack chain

Per CERT-In CIAD-2025-0055, the Malwarebytes Ghost of WhatsApp writeup, SecurityAffairs, and CSO Online, the attack runs in five steps.

  1. Initial breach. Attacker hijacks one user’s WhatsApp account (often via the same GhostPairing technique applied earlier, or via SIM-swap fraud, or via a stolen device). This account becomes the launchpad.
  2. Lure to friends. Using the hijacked account, the attacker messages every contact: “Is this you in this photo?” or “Look at this funny picture” with a shortened URL. Variants seen in the wild: photobox.life, yourphoto.world, fotoface.top, plus rotating throwaway domains.
  3. Phone-number capture. Victim taps the link expecting a photo. The page displays a “verify your phone number to view this photo” prompt. The victim, trusting the contact who sent it, enters their phone number.
  4. Real WhatsApp pairing triggered. In the background, the attacker’s WhatsApp Web session uses the captured phone number and requests an 8-digit pairing code. The fake photo-viewer site relays this 8-digit code to the victim with instructions to enter it in WhatsApp Settings > Linked devices > Link with phone number instead.
  5. Silent linkage. The victim enters the code. WhatsApp pairs the attacker’s device. The victim sees a generic “device linked” notification (or no notification at all if WhatsApp Settings happens to be closed). The attacker now sees every incoming WhatsApp message.

Once linked, the attacker can read banking OTPs, intercept work conversations, harvest contact lists for the next round of lures, and impersonate the victim by posting in WhatsApp groups.

Why this matters: OTPs, banking, and business

WhatsApp is increasingly used by Indian banks for transaction alerts, fixed-deposit confirmations, and customer-service interactions. Some banks even deliver one-time-passwords via WhatsApp Business API. A silently linked attacker can:

  • Read OTP messages delivered via WhatsApp and authorise UPI payments or net-banking transfers
  • Read every personal and family conversation
  • Read group conversations including work/finance chats
  • Send money requests in your voice to your contacts
  • Send malicious links to your contacts to expand the GhostPairing campaign

The Hyderabad police commissioner V.C. Sajjanar issued a public warning on 22 December 2025, three days after the CERT-In advisory (Telangana Today). He flagged that elderly users and homemakers were being targeted disproportionately because the photo-lure relies on a familiar contact’s name appearing in the message preview.

What CERT-In CIAD-2025-0055 actually says

The advisory (CIAD-2025-0055), published 19 December 2025 and confirmed via CERT-In’s official social handle, describes the attack as a “WhatsApp Account takeover campaign (GhostPairing)” with high severity. CERT-In’s recommended actions:

  • Enable two-step verification on WhatsApp (a 6-digit PIN required when registering the number on a new device)
  • Never share the WhatsApp pairing code or QR with anyone
  • Periodically review and remove unknown linked devices
  • Avoid clicking unknown links shared in WhatsApp, even from trusted contacts
  • Verify any unusual message from a contact via a second channel (call them) before acting

Cluster context: why CEO impersonation cases matter

Even before GhostPairing was named, related WhatsApp-takeover patterns were already costing Indian companies. Documented cases (all from The420.in primary reporting):

  • Hyderabad. INR 1.20 crore lost. A company finance head received WhatsApp messages from what appeared to be the CEO’s number (with the CEO’s display picture) instructing an urgent vendor transfer. Money moved to a mule account. (The420.in)
  • Jaipur. INR 5.30 crore lost, 17 arrested. A mining company’s finance team was duped via WhatsApp DP impersonation of its director. Multi-state gang. (The420.in)
  • Pune. INR 70 lakh lost. A poultry firm’s accounts head fell for whale-phishing via WhatsApp. (The420.in)

These pre-GhostPairing cases relied on impersonation (lookalike numbers, copied display pictures). GhostPairing makes the same attack faster: the attacker does not need to spoof a number when they can silently read messages from a real one.

Per Press Information Bureau release, I4C blocked 83,668 WhatsApp accounts associated with cybercrime in the digital arrest scam alone. Total Indian cybercrime losses crossed approximately INR 11,333 crore in the first 9 months of 2024 per I4C / MHA disclosures. NCRB Crime in India 2024 (released May 2026) put cybercrime cases above 1 lakh, up 17.9% year on year. WhatsApp is the dominant attacker-victim communication channel inside this scale.

5 red flags that should stop you cold

“Is this you in this photo?”, “Look at this”, “Did you see this?”, a URL, nothing else. Real friends almost never send link-only messages. They explain why.

photobox.life, yourphoto.world, fotoface.top and similar throwaway domains. Genuine photos shared between friends in 2026 stay inside WhatsApp media or land in Google Photos / iCloud links from real cloud providers.

3. A page you expected to show a photo asks for your phone number

No photo viewer in 2026 needs your phone number to display an image. This single check defeats GhostPairing.

4. You see a 6-digit or 8-digit code and someone asks you to type it into WhatsApp

Genuine WhatsApp registration codes are entered ONCE during setup of YOUR phone. If anyone (a “friend”, a “support agent”, a website) asks you to enter a code received on your phone into WhatsApp Linked Devices, you are about to be hijacked.

5. WhatsApp suddenly shows messages out of order, or contacts message you confused

If your contact says “why did you ask for INR 50,000?” and you never sent that, your account is compromised. Open Settings > Linked devices immediately.

Three defences that work today

Two-step verification (mandatory)

Open WhatsApp > Settings > Account > Two-step verification > Turn on. Set a 6-digit PIN you will remember (not your phone PIN, not your bank PIN). Add a recovery email. From now on, registering your phone number on a new device requires this PIN. Even if an attacker captures your number on a fake site, they cannot complete pairing without the PIN. Reference: WhatsApp two-step verification help.

Audit linked devices weekly

Settings > Linked devices. Review the list. Anything you do not recognise (unknown browser, unfamiliar location, last-active timestamp from a place you have never been), tap and Log out. Make this a habit, not a panic response.

Genuine photo links never need your phone number. Genuine WhatsApp pairing codes are entered ONCE on your own phone during setup. If you broke this rule, go to Settings > Linked devices and audit immediately.

What to do if you got paired

  1. Settings > Linked devices > Log out every unknown device immediately.
  2. Enable two-step verification if not already on, before the attacker can re-register.
  3. Tell your close contacts via SMS or call (NOT WhatsApp) that your account was compromised, so they ignore any money requests. Banking and business contacts especially.
  4. Change your bank passwords and authenticate fresh OTPs only on your phone, not via any other linked surface.
  5. Report at cybercrime.gov.in or call 1930. Both operated by I4C under MHA, 24x7.
  6. Report the lure URL to CERT-In at incident@cert-in.org.in so it gets added to their advisory list.
  7. If money was transferred, add the bank-fraud complaint via your bank’s emergency line and ask them to flag the receiving UPI ID. The first 24 hours are the highest-probability window for beneficiary account freeze.

If a contact sent you a “view photo” link, a “verification” link, or anything that asks for your phone number, send it to us before clicking.

WhatsApp / Call: +91 99644 43350

Send a screenshot or the URL itself, the contact name who sent it, and the message preview. We help you verify whether the link is GhostPairing infrastructure or harmless, and tell you what to do next.

What we do:

  • Decode the URL and check it against known GhostPairing domain lists
  • Cross-check the contact’s account for prior compromise indicators if you can share permission
  • Walk you through the WhatsApp Linked Devices audit safely
  • Tell you whether to engage further or block

What we do not do:

  • Charge for the verification
  • Ask for your WhatsApp pairing code, phone number entry, or any code received on your phone
  • Take control of your phone

Verification is free. Related guides for the same attack family: AI voice cloning scams, digital arrest scams, and DPDP impersonation phishing.

Need help beyond verification?

If your account was hijacked and the attacker reached your finance team, family, or business contacts, we offer paid engagements:

  • Emergency response: containment, evidence preservation, FIR drafting, NCRP filing, contact-tree damage control
  • Corporate WhatsApp policy + CFO fraud playbook for finance teams
  • Ongoing security consulting for AI-first and API-first SaaS startups
  • Founder-led Security on Demand for INR 9,999, 4 hours, fully refundable if we cannot help

WhatsApp +91 99644 43350 or contact Cybersecify to discuss.

Save this number now

If you ever see a suspicious WhatsApp link, an unknown linked device on your account, or a message preview that does not match your contact’s usual style: WhatsApp +91 99644 43350. Save it now. During an active hijack, you will not have time to search.

For a broader scan of how exposed your business is to lookalike attacks (domain impersonation, fake apps, leaked credentials), run OpenEASD on your domain. Open source external attack surface scanner: 11 attack vectors across DNS, email, TLS, web layer, and known CVEs, runs locally via Docker, MIT licensed.

Frequently asked questions

What is WhatsApp GhostPairing?

GhostPairing is a WhatsApp account takeover technique flagged by CERT-In on 19 December 2025 (advisory CIAD-2025-0055). Scammers trick the victim into entering their phone number on a fake photo-viewer site (often shared by an already-hijacked contact saying ‘Is this you in this photo?’). The site triggers a real WhatsApp linked-device pairing request. The victim, expecting to view a photo, approves the 8-digit pairing code. The attacker is now silently linked to the victim’s WhatsApp and reads every incoming message including OTPs, banking alerts, and private chats.

Does GhostPairing use a QR code or a pairing code?

The reported attack chain primarily uses the 8-digit numeric pairing code, not the QR code. WhatsApp’s linked-device feature accepts both, but the numeric route fits the lure better because the victim is on a phone, not standing in front of a desktop QR code. The fake photo-viewer site asks for the phone number, then the victim is told to enter the 8-digit code displayed on the attacker’s WhatsApp Web session. Once entered, pairing completes.

How do I check if my WhatsApp account has been silently linked to an attacker’s device?

Open WhatsApp, tap the three dots menu (Android) or Settings (iPhone), then Settings > Linked devices. Review every device listed. If you see anything you do not recognise (unknown browser, unknown country, unfamiliar last-active timestamp), tap that device and select ‘Log out.’ Audit this list weekly, and immediately if you have entered your phone number on a suspicious link in the last 7 days.

How do I protect WhatsApp before something goes wrong?

Three defences. First, enable two-step verification: Settings > Account > Two-step verification > Turn on, set a 6-digit PIN, add an email for recovery. Second, never enter your phone number on a link sent in WhatsApp, especially photo-viewer or ‘verification’ or ‘KYC’ links from contacts. Third, audit Settings > Linked devices weekly. These three together defeat almost every WhatsApp account takeover technique known in 2026, including GhostPairing.

What should I do if my WhatsApp has been hijacked?

First, open Settings > Linked devices and log out every unknown device. Second, enable two-step verification immediately. Third, alert close contacts via SMS or call (not WhatsApp) that your account was compromised so they ignore any money requests sent in the meantime. Fourth, file a complaint at cybercrime.gov.in or call 1930. Fifth, report the suspicious link to CERT-In (incident@cert-in.org.in) so they can add it to their public advisory list.

Share this article
WhatsAppGhostPairingaccount takeoverscam awarenessCERT-InWhatsApp security

Related Articles

Scam Awareness

Sextortion in India: The First-Hour Playbook

If you got a sextortion threat in the last hour, do not pay and do not respond. The exact steps, helplines, and law to use to protect yourself in India.
Scam Awareness

How to Spot a Digital Arrest Scam in 2026

Indians lost INR 1,935 crore to digital arrest scams in 2024. How to spot the script, verify a suspicious call, and report to 1930 in 2026.
Scam Awareness

How a 3-Second Voice Sample Becomes a Scam in India

47% of Indian adults have been hit by AI voice cloning scams. How fraudsters clone your voice from 3 seconds of audio, and how to defend your family.

Two Ways to Start

Pick the one that fits where you are right now.

Ready to fix things

Security on Demand

INR 9,999

4 hours, founder-led. Full refund if you don't continue.

Just exploring

Free Security Snapshot

Open source. Runs on your infra via Docker.