GhostPairing: The WhatsApp Linked‑Device Scam Behind “Silent” Account Takeovers

GhostPairing is a social‑engineering account takeover technique that abuses the legitimate “linked devices” pairing flow to add an attacker-controlled browser/device as a trusted session, often while the victim’s phone continues working normally.

Unlike classic takeovers, GhostPairing typically requires no password theft and no SIM swap; the victim is manipulated into approving the link themselves by entering a pairing code or scanning a QR code. Early activity was observed in Czechia and we tag this campaign as high severity.

For individuals and organizations, the risk is message surveillance + impersonation at scale, which turns end‑to‑end encryption into a non-factor once the attacker becomes a “legitimate endpoint.”

Gen Digital’s research (Dec 15, 2025), documents the campaign and explains how victims are tricked into completing the official device linking flow. They provided public indicators (domains and URL path patterns) and argues the operation has kit-like behavior (reused templates and replaceable domains).

Our independent security coverage from reinforces the same core point: this is not an encryption break or a software exploit rather, it’s feature abuse + persuasion (“verify to view a photo”) that results in a hidden linked session.

How to Link WhatsApp to Another Phone: A Detailed Guide?

Распространяется схема скрытого захвата аккаунтов WhatsApp — GhostPairing

How To Use WhatsApp On Two Phones With Same Number

WhatsApp Ghost Pairing Scam Explained: Telangana Police Issue Cyber Alert – Shunyatax Global

Technical analysis of GhostPairing mechanics and attacker TTPs

GhostPairing succeeds because it moves the attacker “inside” the account by adding a trusted linked device. Here are the two observed flows:

QR-based linking: the scam page shows a QR code that the victim is told to scan from the app’s Linked Devices menu.
Phone number + numeric pairing code: the victim enters their phone number on a lookalike page; a numeric pairing code is displayed and the victim is instructed to enter it in the app, thereby approving a new linked device. This is described as the more practical and more common variant because it can be completed on a single phone.

From a TTP perspective, three traits stand out:

First, trust-based propagation. The lure often arrives from a compromised contact and is short, informal, and curiosity-driven (e.g., “Hey, I just found your photo!”).

Second, brand mimicry. Many landing pages imitate Facebook styling to make “verification” feel normal, especially given shared ownership under Meta Platforms.

Third, scalable infrastructure. There are clusters of lookalike domains and recurring URL path strings (e.g., /login/post.com, /login/facepost.com), consistent with commoditized kits that can be rotated when blocked.

Rendering diagram...

View diagram source

flowchart TD
    subgraph Lure Phase
    A[Victim receives lure via trusted contact] --> B[Clicks link with spoofed preview]
    end

    subgraph The Switch
    B --> C[Fake 'Viewer' page requests Verification]
    C --> D[Victim enters phone number]
    D -.->|Scammer inputs number| E[Legitimate App triggers Link Request]
    end

    subgraph The Handshake
    E --> F[Scammer mirrors Pairing Code to Scam Page]
    F --> G[Victim enters code into their real App]
    G --> H[Attacker session is Authenticated]
    end

    subgraph Post-Exploit
    H --> I[Impersonate & Spread Lure to new contacts]
    H --> J[Data Exfiltration: Messages/Media]
    end

    style A fill:#f96,stroke:#333
    style H fill:#f66,stroke:#333

Impact assessment for individuals and organizations

Once a device is linked, the attacker typically gains WhatsApp Web–equivalent capabilities: reading synced conversations (subject to sync), receiving new messages in real time, downloading media, and sending messages as the victim, often without locking the victim out. This is precisely why security writers describe it as “silent”: the victim’s app often continues functioning, reducing suspicion.

For individuals, the risk concentrates in privacy loss (sensitive chats/media) and fraud (impersonation of “you” to family and friends). Voice notes and photos can be repurposed into higher-impact impersonation and extortion attempts.

For organizations, especially those that use WhatsApp for staff coordination, customer updates, or informal approvals, the impact expands into:

Business impersonation and payment diversion: attackers can message finance/admin teams from a real employee account inside real group chats.
Data leakage: screenshots, invoices, customer records, and operational details shared in chats can be exfiltrated.
Supply-chain risk: a compromised vendor contact can socially engineer linked-device approvals or push fraud instructions across partner groups.

Linked sessions are long-lived unless revoked, so a single successful trick can create extended dwell time. (WhatsApp documentation also describes linked-device lifecycle behaviors such as inactivity disconnects, but defenders should not rely on timeouts as a control.)

Mitigation and detection guidance

Mitigation starts with treating pairing codes like OTPs: never enter a code or scan a QR because a web page tells you to. If you didn’t initiate linking inside the app, stop.

On the user side, the fastest containment step is to review and remove unknown linked sessions (Settings → Linked Devices). Multiple sources emphasize that this single action breaks the attacker’s live session.

Add defense-in-depth: enable two-step verification to reduce exposure to other takeover modes (e.g., re-registration attempts using SMS codes), while recognizing it may not fully prevent device-linking social engineering.

For organizations, identify where WhatsApp is part of critical workflows and apply friction:

Exposure scenario	Likely impact	Recommended control
Exec/finance WhatsApp use	Payment diversion, CEO fraud	Out-of-band approval (voice call + ticket), “no payments via chat” policy
Staff group chats	Recon + impersonation	Mandatory awareness drills + group admin controls
Customer support via WhatsApp	Brand abuse, data leakage	Use Business tooling + strict account/device policy + rapid takedown process

Detection is hardest where there is no telemetry. In most environments, the best practical detection is indirect: DNS/proxy logs for known scam domains, plus user reporting of unexpected linking prompts. Public indicators make this feasible for network monitoring.

Enterprise-grade signals to watch (where available): sudden spikes in outbound messages to many contacts, unusual “helpdesk” complaints of strange links, and proxy access to lookalike “photo/post” domains shortly before an account is abused.

Incident response playbook

A GhostPairing event should be treated as an identity compromise (not just a “scam message”). A minimal response checklist:

Phase	Actions
Triage	Check Linked Devices; capture screenshots; identify unknown sessions.
Containment	Log out unknown/all linked devices; re-link only trusted devices.
Eradication	Block known domains/URL patterns at DNS/proxy; reset internal trust assumptions (e.g., stop approvals via chat).
Recovery	Notify contacts/groups that prior messages may be malicious; monitor for follow-on impersonation.
Lessons learned	Update awareness training with real lures and screenshots; add a “pairing code is an OTP” banner to internal comms.

Public IOC/indicator pack

These indicators are drawn from the Gen Digital research and related public reporting. They are highly perishable and should be used as leads, not as a complete blocklist.

Observed scam domains (examples):

photobox[.]life
postsphoto[.]life
yourphoto[.]life
photopost[.]live
yourphoto[.]world
top-foto[.]life
fotoface[.]top

Observed URL/path patterns (examples):

/login/post.com
/login/facepost.com

Common lure templates:

“Hey, I just found your photo!”
“Hi, check this photo”

Phone numbers / sender IDs: Not consistent; we recommend treating them as case-specific artifacts during investigations.

Detection queries table

Data source	What to look for	Why it matters
DNS logs	Queries for known scam domains (above)	High-confidence early signal of exposure
Proxy/HTTP logs	Requests to /login/post.com or /login/facepost.com paths	Matches reported kit patterns
EDR network telemetry	Same domains/paths from corporate endpoints	Helps identify affected users/devices
Helpdesk tickets	“Unexpected verification/pairing prompt” reports	Common human-visible precursor

Sample SIEM queries

Splunk (proxy or DNS logs)

(index=dns OR index=proxy)
( query IN ("photobox.life","postsphoto.life","yourphoto.life","photopost.live","yourphoto.world","top-foto.life","fotoface.top")
  OR url="*/login/post.com*"
  OR url="*/login/facepost.com*" )
| stats count min(_time) as first_seen max(_time) as last_seen values(user) values(src_ip) values(url) by query
| convert ctime(first_seen) ctime(last_seen)

Microsoft Sentinel (KQL) – Defender for Endpoint DeviceNetworkEvents

DeviceNetworkEvents
| where RemoteUrl has_any ("photobox.life","postsphoto.life","yourphoto.life","photopost.live","yourphoto.world","top-foto.life","fotoface.top")
   or RemoteUrl contains "/login/post.com"
   or RemoteUrl contains "/login/facepost.com"
| summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), Devices=make_set(DeviceName), Users=make_set(InitiatingProcessAccountName) by RemoteUrl
| order by LastSeen desc

Elastic (ES|QL) – proxy logs

FROM logs-proxy*
| WHERE url.domain IN ("photobox.life","postsphoto.life","yourphoto.life","photopost.live","yourphoto.world","top-foto.life","fotoface.top")
   OR url.path LIKE "*\/login\/post.com*"
   OR url.path LIKE "*\/login\/facepost.com*"
| STATS first_seen = MIN(@timestamp), last_seen = MAX(@timestamp), users = VALUES(user.name), src_ips = VALUES(source.ip) BY url.domain, url.path
| SORT last_seen DESC

Organizations using our ARGOS Platform don’t spend time reading such a post because they’re 24/7 protected by our 24/7 SOC and ISO 270001 certified datacenters across 4 continents. Book a free threat assessment and get an overview of how safe your organization is.