A new WhatsApp scam is quietly taking over user accounts across India. The government’s cyber security agency has warned that attackers no longer need passwords or SIM swaps to break into WhatsApp. A simple click on a fake link may be enough.
The Indian Computer Emergency Response Team (CERT-In) has issued a high-severity advisory on a cyber campaign called GhostPairing. The attack misuses WhatsApp’s device-linking feature and gives hackers full access to user accounts.
What Is the GhostPairing Attack?
GhostPairing is a social engineering attack, and it tricks users into linking an attacker’s device to their WhatsApp account. According to CERT-In, hackers can gain access without stealing login credentials. They also do not need to change the victim’s SIM card.
“In a nutshell, the GhostPairing attack tricks users into granting an attacker’s browser access as an additional trusted and hidden device by using a pairing code that looks authentic,” the agency said in the advisory.
CERT-In has published an Advisory on its website.
WhatsApp Account takeover campaign (GhostPairing)https://t.co/s8f11XbJY1
— CERT-In (@IndianCERT) December 19, 2025
Once linked, the attacker stays connected unless the user manually removes the device.
How WhatsApp Accounts Get Hijacked
The attack starts with a casual message. It usually says, “Hi, check this photo”. The message appears to come from a trusted contact.
The link shows a familiar Facebook-style preview. When users click it, they land on a fake page. The page asks them to “verify” their identity to view the image.
At this stage, attackers misuse WhatsApp’s link device via the phone number option. Victims enter their number, thinking it is safe.
By completing a few simple steps, users unknowingly approve a hidden device. No password is stolen. No OTP raises suspicion.
What Hackers Can Access After GhostPairing
Once the attacker links their device, they gain access similar to WhatsApp Web:
- They read synced messages
- They receive new chats in real time
- They view photos, videos, and voice notes
- They send messages as the victim
- They access personal and group conversations
The compromised account often spreads the scam further by messaging other contacts.
Why CERT-In Calls It a High-Risk Threat
CERT-In has given the alert a high severity rating. The reason is simple. The attack looks legitimate and uses official app features.
“It has been reported that malicious actors are exploiting WhatsApp’s device-linking feature to hijack accounts using pairing codes without an authentication requirement. This newly identified cyber campaign called GhostPairing enables cyber criminals to take complete control of WhatsApp accounts without needing a password or SIM swaps,” the advisory said.
Many users may not realise their account is hijacked for days.
How to Protect Your WhatsApp Account
Avoid Clicking Unknown Links
Do not open links, even from known contacts, unless you confirm them first.
Never Enter Your Phone Number on External Pages
WhatsApp does not ask users to verify identity through random websites.
Check Linked Devices Regularly
Go to WhatsApp Settings > Linked Devices. Remove any device you do not recognise immediately.
Spread Awareness
Inform friends and family. One hacked account can put many others at risk.
Why This Alert Matters
WhatsApp plays a major role in daily communication in India. A hijacked account can lead to fraud, data theft, and loss of privacy.
CERT-In’s warning highlights a growing trend in cybercrime. Attackers now rely more on deception than technical hacking. Staying alert is the best defence.
