Your WhatsApp Can Be Hijacked Without a Password — Here’s How the ‘GhostPairing’ Scam Works

A new scam technique called GhostPairing allows attackers to take over WhatsApp accounts without stealing passwords or SIM cards.

Security researchers are warning users about a newly observed scam technique known as GhostPairing, which enables attackers to hijack a WhatsApp account without needing a password, OTP, or SIM swap. The attack abuses WhatsApp’s legitimate device-linking feature, making it difficult for victims to detect until damage is done.

GhostPairing relies on social engineering rather than technical exploitation. Attackers trick victims into scanning a malicious QR code under the pretense of account verification, support assistance, or feature activation. Once scanned, the attacker’s device becomes linked to the victim’s WhatsApp account as a secondary device.

Because WhatsApp allows multiple linked devices, the attacker gains full access to messages in real time. As a result, they can read chats, monitor conversations, and impersonate the victim without logging them out. In many cases, victims continue using WhatsApp normally, unaware that someone else is silently watching.

The scam becomes especially dangerous because it bypasses traditional security assumptions. Users often believe their account remains safe as long as their phone number and OTP stay secure. However, GhostPairing does not require credential theft. Instead, it exploits user trust and familiarity with QR-based workflows.

Attackers use compromised accounts to spread scams further, request money from contacts, or gather sensitive personal and business information. For professionals and organizations, this can lead to data exposure, reputational damage, and secondary phishing attacks.

Security experts warn that GhostPairing attacks are difficult to detect after the initial compromise. Victims may only notice unusual behavior, such as messages being read unexpectedly or contacts receiving messages they did not send. By then, attackers may already have harvested valuable information.

To stay protected, users should never scan QR codes sent through unsolicited messages or calls. WhatsApp users should also regularly review the “Linked Devices” section in their account settings and remove any unfamiliar devices immediately. Enabling two-step verification adds another layer of defense but does not fully prevent this attack.

Overall, GhostPairing highlights a growing trend in modern scams. Attackers increasingly abuse legitimate features instead of hacking accounts directly. Awareness and caution remain the strongest defenses against these silent account takeovers.