惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

D
DataBreaches.Net
Apple Machine Learning Research
Apple Machine Learning Research
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
S
SegmentFault 最新的问题
博客园 - 聂微东
罗磊的独立博客
W
WeLiveSecurity
博客园_首页
Scott Helme
Scott Helme
V
Visual Studio Blog
T
The Exploit Database - CXSecurity.com
G
Google Developers Blog
大猫的无限游戏
大猫的无限游戏
Latest news
Latest news
L
Lohrmann on Cybersecurity
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
A
About on SuperTechFans
F
Full Disclosure
Y
Y Combinator Blog
D
Darknet – Hacking Tools, Hacker News & Cyber Security
博客园 - 司徒正美
博客园 - Franky
C
CXSECURITY Database RSS Feed - CXSecurity.com
F
Fortinet All Blogs
Blog — PlanetScale
Blog — PlanetScale
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
阮一峰的网络日志
阮一峰的网络日志
S
Schneier on Security
雷峰网
雷峰网
博客园 - 【当耐特】
P
Privacy International News Feed
C
Cyber Attacks, Cyber Crime and Cyber Security
Engineering at Meta
Engineering at Meta
aimingoo的专栏
aimingoo的专栏
MongoDB | Blog
MongoDB | Blog
J
Java Code Geeks
T
Tor Project blog
V
V2EX
爱范儿
爱范儿
C
Check Point Blog
T
Threatpost
Project Zero
Project Zero
量子位
V
Vulnerabilities – Threatpost
Know Your Adversary
Know Your Adversary
I
Intezer
G
GRAHAM CLULEY
P
Privacy & Cybersecurity Law Blog
GbyAI
GbyAI
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com

Comparitech

How to watch McGregor vs Holloway 2 (UFC 329) from anywhere Medical billing firm MCBS warns 300,000+ patients of data breach - Comparitech Ransomware Roundup: H1 2026 stats on attacks, ransoms, and active gangs - Comparitech Colorado Health Network warns 68,000+ people of data breach that leaked SSNs, credit cards, and medical records - Comparitech Middletown, OH warns 123,000+ people of data breach that leaked SSNs, financial and medical info - Comparitech DeGoogling your life: What is it and how do you do it? How to opt out of Meta AI data collection - Comparitech Is CurseForge safe? Common risks and how to mod safely - Comparitech Cybercriminals say they hacked New South Wales Rural Fire Service - Comparitech Grandview School District warns 9,000+ people of data breach 21 months later - Comparitech Which industry & country has the worst email security? An analysis of 5,800+ domains for SPF, DMARC, DKIM & MTA-STS protocols - Comparitech Kootenai County, ID warns residents of government data breach that leaked personal info - Comparitech What is Kik? Is it safe for kids? - Comparitech Cybercriminals say they hacked Reynella East College - Comparitech Are UK council websites adhering to government security guidelines? - Comparitech Bellflower Unified Schools warns students of data breach that leaked SSNs - Comparitech What are location services and how do they work? - Comparitech How to bypass Xbox age verification - Comparitech What is a Minecraft dedicated IP? Do you need one? The best Discord alternatives in 2026 - Comparitech How to watch UFC Freedom 250: Stream UFC White House online Taos Mountain Casino warns of data breach that leaked SSNs Cybercriminals give Delano Public Schools two weeks to pay ransom How to fix ‘Your connection is not private’ in Chrome Plaza Home Mortgage warns 138,000 people of data breach that leaked SSNs How to watch the NBA Finals live online from anywhere Cybercriminals take credit for Singing River Health System data breach How Spammers Are Hiding Behind Google and the New York Times Ransomware roundup: May 2026 Iowa hospital warns 24,000+ people of data breach that leaked SSNs, medical and financial info 80K+ people notified of data breach at Louisiana university that leaked SSNs & bank info Finance firm IMA warns 525,000+ people of data breach Auto lender IAC warns 79,000+ people of data breach that leaked SSNs Sandstone, MN says SSNs and financial info compromised in ransomware data breach Las mejores herramientas de gestión de Active Directory Die besten Active-Directory-Management-Tools I Migliori Strumenti di Gestione di Active Directory Las mejores herramientas de gestión de logs Die besten Log-Management-Tools I migliori strumenti di log management Watching You, Funded by You: Number of CCTV Cameras by UK Council & Police Force Las mejores herramientas SIEM para alertas de seguridad automatizadas Die besten SIEM-Tools für automatisierte Sicherheitswarnungen I migliori strumenti SIEM per gli avvisi di sicurezza automatizzati Software maker warns 200,000 Frost Bank customers in Texas of data breach Oregon employment firm notifies 142,000+ people of two data breaches claimed by ransomware gangs Cybercriminals say they hacked Harrison County, WV commission, demand ransom Cybercriminals say they breached AdvancedHealth, Tennessee clinic confirms Fluke Corp notifies 18,000+ people of data breach that leaked SSNs What is Token-Based Authentication? Tokens Explained Western Orthopaedics warns 113,000+ people of data breach that leaked SSNs, credit cards, and medical info What is ARP? ARP protocol explained What is symmetric encryption? Crunchyroll VPN not working? Fix buffering, errors & region blocks American Lending Center notifies 123,000+ people of data breach that leaked SSNs How to watch Oleksandr Usyk vs Rico Verhoeven online Cybercriminals say they hacked CarePoint Health, stole data Ransomware gang claims attack and data theft from UK city school Horizon Media reports data breach of SSNs, cybercriminals take credit Claude VPNs (and how to use Claude safely) What is a prompt injection attack? Where do leaked passwords end up? A statistical analysis of the dark web’s credential pipeline Ransomware roundup: April 2026 Suffolk, VA warns 157,000+ people of data breach that leaked SSNs, finances How to watch UFC 328 (Chimaev vs Strickland) from anywhere Cybercriminals say they hacked Winona County, MN (again) Keeper vs 1Password: Which password manager is best in 2026? What is F-Droid? Is it safe? Proton VPN Secure Core: What is it, and should you use it? What is an agentic browser? Features and how to use them safely Sandhills Medical Foundation warns patients of data breach Cybercriminals say they hacked Massachusetts Development Finance Agency, its second breach in 2 years STELIA Aerospace confirms cyber attack on North American systems. $2.07 million ransom issued Debt collector Rodenburg Law Firm warns 81,307 people of data breach Healthcare ransomware roundup: Q1 2026 stats on attacks, ransoms, and data breaches How to block ads on Paramount Plus A complete guide to smart speaker privacy What is the Great Firewall of China Cybercriminals say they hacked Rusk County, WI What is a decentralized VPN? Do you need a dVPN? Southern Illinois Dermatology warns patients of data breach that leaked SSNs 92,000 people notified of data breach following cyber attack at Puerto Rican hospital Cybercriminals say they hacked Minidoka Memorial Hospital, demand ransom What is sensitive data? Types and how to protect yourself Inside RAMP: What a leaked database reveals about Russia’s ransomware marketplace What is a passphrase? Are they safer than passwords? Phoenix Art Museum warns of data breach that leaked SSNs Mozilla VPN vs NordVPN – VPN Comparison Guide Cookeville Regional Medical Center warns 338,000 people of data breach Antimalware vs Antivirus: What’s the difference? What is URL phishing? Examples and how to stay safe How to use a VPN in Bhutan (and the best options) Cybercriminals give Brockton, MA hospital one week to pay ransom after hack Is Truth Social safe? Everything you need to know What is cyberwarfare? Medical implant maker TriMed warns 80,000+ people of data breach Ransomware roundup: Q1 2026 Heart South Cardiovascular Group warns 46,000+ people of data breach Cybercriminals say they hacked Community College of Beaver County Critical Infrastructure at Risk: 179 ICS Devices Exposed Online
What is GhostPairing on WhatsApp?
Richard Erns · 2026-05-06 · via Comparitech

What is GhostPairing on WhatsApp?

GhostPairing is a WhatsApp account takeover scam where cybercriminals trick you into pairing your account with their device. They can then read your chats, send messages from your number, and target your contacts next.

Below you’ll see how the scam usually plays out, the risks involved, and the main warning signs that your account’s been exposed. We’ll also cover some useful prevention tips and what to do if you’ve already been hit.

Learn what GhostPairing is, how it works, and how to stay safe.

What is GhostPairing?

In December 2025, researchers at Gen discovered GhostPairing, a cyberattack that uses phishing and social engineering to trick victims into linking their WhatsApp accounts to the attacker’s device.

GhostPairing exploits the fact that people expect quick replies and don’t really double-check links from familiar names. Once attackers gain access, they can use your account to reach your contacts and extend the scam further.

How does GhostPairing work?

GhostPairing uses a fake login page and WhatsApp’s own device-linking feature to give scammers control of your account. The process looks routine, which is why it’s easy to miss until the damage is done. Here’s how it works, step-by-step:

1. You receive a message from a trusted contact

A contact who has already been hacked may send you an eye-catching message like “Hey, your pic’s on the news!” followed by a link. The link preview might show “Facebook post”, “Facebook login” or similar descriptions to appear legitimate at first glance.

In reality, the URL leads to “photobox.life”, “yourphoto.world”, or other similarly-worded scam domains. Gen’s findings suggest a kit-based approach, where attackers reuse the same layout and just rotate domains when needed.

2. Clicking through takes you to a fake login

Clicking the phishing link opens a page that copies a Meta login screen, which asks for your phone number to sign in. The layout looks familiar, so it feels like a standard account check. After you enter your number, the site triggers WhatsApp’s real device-linking process in the background.

3. You’re asked to “verify” your device

The fake login page displays a numeric code and asks you to confirm it via WhatsApp to “finish the login process.” After you enter your number, WhatsApp sends a real pairing request. The site shows that code and asks you to enter it, which connects the attacker’s device to your account.

4. Attackers can now access your WhatsApp account

Once you enter the final code, the attacker’s device can connect to your account like any other paired device. From that point, they can read your messages and send new ones through your account until you manually unlink it or reset access.

Can GhostPairing attacks use QR code linking?

You can approve a new device with QR scanning, so QR-based linking should work, in theory. If you scan a code on a malicious page, you’d basically be granting the attacker access via WhatsApp Web or a desktop session.

That said, scammers wouldn’t bother with this method due to the unnecessary friction it adds. You’d need a separate screen or device just to scan the QR code, and at that point, most people would tell that something is off. That, or say they can’t be bothered and ask for a screenshot of their supposed news feature.

Most campaigns stick to phone-number prompts and verification codes since those work on a single phone and move people through the scam faster. Still, it’s worth keeping in mind.

The risks of GhostPairing

GhostPairing gives attackers full access to your WhatsApp, which opens the door to account misuse, data theft, and a fresh list of contacts to scam:

  • Account takeover: The most obvious danger is that attackers can now control your messages and account settings without you noticing.
  • Identity theft scams: If you often share ID numbers, addresses, or other sensitive data, hackers may use them to open accounts in your name or pass checks that rely on personal info.
  • Financial fraud: Attackers may message your contacts with payment requests, copying your writing style to appear legitimate.
  • Blackmail and extortion: Hackers can collect your private images and messages and threaten to share them unless you pay up. If they find any intimate media, you may end up in a sextortion scheme.
  • Business account abuse: Scammers can message customers, take over sales chats, and send fake payment details that can hurt trust in your business and cost you sales.

Warning signs that your WhatsApp was compromised

GhostPairing often leaves traces if you know where to look. These warning signs can help you catch unauthorized access before it becomes a bigger problem:

  • Unknown linked devices: Tap the three dots on the top right and select Linked devices. If you see a computer, browser, or location you do not recognize, someone may have connected to your account without permission.
  • Messages marked as read: Chats may show the blue “seen” ticks even though you never opened them, which may indicate an attacker is reading them.
  • Sudden battery drain: Your battery may drain faster than usual if WhatsApp runs in the background more often, since a linked device can keep chat syncing active.
  • Contacts reporting strange texts: Friends, family, or co-workers may tell you they got odd links, money requests, or weird replies. Act fast if that’s the case, as scammers may be using your account to trick others.
  • Deleted chats or messages: You may notice missing threads, cleared chat history, or messages removed mid-conversation. Attackers sometimes delete evidence after reading or copying your chats.

How to protect yourself against GhostPairing

Following a few basic internet safety habits can block most GhostPairing attempts. Here’s what to do:

  • Double-check links before clicking: Ensure the URL you’re accessing is legitimate (e.g., facebook.com vs facebook.login.com) and doesn’t have an unusual domain suffix (e.g., fotoface.top, yourphoto.life).
  • Review your linked devices often: Check your list regularly and log out right away if you see anything unfamiliar, before attackers can read or sync new chats.
  • Never scan QR codes for “verification”: One of the risks of QR codes is that they can link your WhatsApp to another device in seconds. If a page asks you to scan one to “verify you,” it’s likely a scammer trying to access your account.
  • Enable two-factor authentication (2FA): Go to Settings > Account > Two-step verification, then tap Turn on and create a PIN. This adds a safety net in case someone tries to steal your account.
  • Turn on security notifications: Tap the three dots on the top right, then go to Settings > Account > Security notifications and turn on Show security notifications on this device. WhatsApp will then warn you when it changes encryption keys, a sign that someone may be messing with your account.
  • Keep your OS and WhatsApp updated: Updates patch security bugs and fix weak points attackers rely on. Install them as soon as possible, especially for messaging apps.

What to do if you’ve fallen for a GhostPairing scam

It’s easy to fall for a GhostPairing scam when the message comes from someone you trust. Don’t beat yourself up over it; just follow this checklist to minimize the damage:

  • Unlink all devices: First things first, cut off the attacker’s access. Press the three dots on the top right, then Linked devices, and tap any unknown entries to log them out.
  • Alert your contacts: Tell friends and family to ignore recent messages, especially money requests or links. This stops scammers from using your account to trap more people.
  • Lock down your financial accounts: Check your banking apps, cards, and payment accounts for suspicious activity. Change passwords and call your bank if you see transfers you did not approve.
  • File an anti-fraud report: Report the incident to your bank, your carrier, and any local cybercrime or fraud reporting service (like the FTC, the FBI’s IC3, or Report Fraud). Keep a paper trail in case you need it later.
  • Expect further scam attempts: Scammers often come back with follow-up messages, fake support calls, or “recovery” offers. Treat any urgent request as suspicious for the next few days.

What is GhostPairing? FAQs

Is GhostPairing limited to WhatsApp?

GhostPairing is built around WhatsApp, but the scam can work on other messaging apps that support multi-device sessions.

Also read: