A new type of scam is being run on WhatsApp. Government of India’s Indian Computer Emergency Response Team (CERT-In) has recently issued a high-risk alert for ‘GhostPairing’ vulnerability. WhatsApp is the most widely used messaging app not only in India but across the world, and its popularity makes it highly vulnerable to attacks from malicious actors. While various WhatsApp scams are frequently reported, the latest one is unprecedented.
India’s principal cybersecurity agency, CERT-In (Indian Computer Emergency Response Team), has issued a high-risk alert regarding a critical vulnerability in WhatsApp’s device-linking feature. This flaw, known as GhostPairing, allows hackers to gain complete control of a user’s WhatsApp account without requiring passwords, OTPs, or physical SIM swaps.
Exploiting this vulnerability, attackers can gain real-time access to the victim’s entire chat history on the platform’s web version, including sensitive photos, videos, voice notes, and live messages.
How the GhostPairing Attack Works?
According to the CERT-In alert issued on December 19, 2025, this attack primarily uses a social engineering technique that exploits legitimate WhatsApp features. The process typically begins with a fraudulent message sent from a trusted contact whose account has likely already been compromised.
The message often contains a tempting lure, such as, “Hi, look at this picture of yours,” along with a link that displays a preview resembling Facebook to gain immediate trust.
When a user clicks on the link, they are redirected to a fraudulent verification page designed to mimic the official Facebook or WhatsApp web interface.
In Ghostpairing, attackers use two main methods to compromise the account –
Pairing Code Method:
The fake site prompts the user to enter their phone number. In this case, the attacker initiates a legitimate “Link with Phone Number” request on their own browser. Next, WhatsApp generates an 8-digit pairing code, which the attacker sends back to the fake site. The victim, mistaking it for a routine security verification, enters the code into their WhatsApp app and unknowingly authorizes the attacker’s browser as a trusted device.
QR Code Method:
In some cases, the phishing site embeds a real-time QR code from the attacker’s WhatsApp Web session. If the victim scans this code from their mobile app to verify their identity, the attacker logs in instantly.
Why is Ghostpairing extremely dangerous?
The insidious nature of this pairing is its most dangerous characteristic. Since this attack utilizes the official linked device protocol, it doesn’t trigger any new login alerts, which typically require a second OTP. The victim’s primary number continues to function normally, with no forced logouts, allowing the attacker to remain a silent observer for days or even weeks. During this time, they can monitor all incoming and outgoing communications and even impersonate the user to spread the Ghostpairing trap to the victim’s entire contact list and group chats.
How to keep your WhatsApp account secure?
CERT-In has urged all Indian digital citizens to be extremely cautious when encountering unfamiliar links, even from known contacts. To secure your accounts –
Audit your devices:
Go to Settings > Linked Devices in the WhatsApp app. If you see any unfamiliar browser or operating system (e.g., Google Chrome – macOS when you only use Windows), log out of it immediately.
Enable Two-Step Verification (2SV):
Set up a custom 6-digit PIN in your account settings. This adds a crucial layer of security that a paired device cannot easily bypass. Never pair externally:
You should never scan a QR code or enter a pairing code on any website. Genuine WhatsApp pairing only happens between your own phone and an official WhatsApp application or web.whatsapp.com.