GhostPairing WhatsApp pairing-code account-hijacking campaign
Campaign
Summary
Hide ▲
Show ▼
GhostPairing is an active WhatsApp account-hijacking campaign that abuses the platform’s device-linking feature to take over accounts via pairing codes, creating a direct risk of impersonation and fraud. The operation was first spotted in Czechia and can spread to other regions as compromised accounts are reused to reach new targets. Once a victim links the attacker’s device, the attacker can read conversation history and shared media and send messages from the account. The campaign uses a deceptive Facebook-style lure and a legitimate pairing workflow to bypass the need for stolen passwords or other authentication bypasses.
Related Happenings
Meta For Business Facebook Messenger fake-verification phishing campaign
Campaign
H score29
First: 07.07.2026 10:00
Last: 07.07.2026 10:00
Sources 1
About this happening:
A **phishing campaign** abused **Facebook Messenger chatbots** and fake verification lures to steal **Meta For Business** credentials and sensitive identity data, creating account...
Meta For Business Facebook Messenger fake-verification phishing campaign
CampaignAbout this happening: A **phishing campaign** abused **Facebook Messenger chatbots** and fake verification lures to steal **Meta For Business** credentials and sensitive identity data, creating account...
WhatsApp VBScript phishing campaign targeting users in multiple countries
Campaign
H score43
First: 23.06.2026 01:42
Last: 23.06.2026 01:42
Sources 1
About this happening:
An **ongoing phishing campaign** is using **compromised WhatsApp accounts** to send **obfuscated VBScript files** to users in **multiple countries**, creating a path to **remote s...
WhatsApp VBScript phishing campaign targeting users in multiple countries
CampaignAbout this happening: An **ongoing phishing campaign** is using **compromised WhatsApp accounts** to send **obfuscated VBScript files** to users in **multiple countries**, creating a path to **remote s...
WhatsApp contempt motion against NSO Group
Regulatory/Legal Action
H score33
First: 09.06.2026 11:15
Last: 09.06.2026 11:15
Sources 1
About this happening:
WhatsApp moved the **US court** to hold **NSO Group** in contempt over a **permanent injunction** tied to spyware targeting of users. The company says NSO violated the order by us...
WhatsApp contempt motion against NSO Group
Regulatory/Legal ActionAbout this happening: WhatsApp moved the **US court** to hold **NSO Group** in contempt over a **permanent injunction** tied to spyware targeting of users. The company says NSO violated the order by us...
NSO Group WhatsApp spear-phishing campaign
Campaign
H score37
First: 08.06.2026 20:08
Last: 08.06.2026 20:08
Sources 1
About this happening:
**NSO Group** remains tied to a **WhatsApp** spear-phishing **campaign** that used **malicious links** to push targets to external websites outside the app. On **June 8**, WhatsAp...
NSO Group WhatsApp spear-phishing campaign
CampaignAbout this happening: **NSO Group** remains tied to a **WhatsApp** spear-phishing **campaign** that used **malicious links** to push targets to external websites outside the app. On **June 8**, WhatsAp...
Instagram accounts for Obama White House hit by account takeover attack
Incident
H score40
First: 01.06.2026 20:32
Last: 01.06.2026 20:32
Sources 1
About this happening:
The **Instagram** accounts for the **Obama White House** and the **Chief Master Sergeant of the U.S. Space Force** were briefly **defaced** after attackers abused **Meta’s AI supp...
Instagram accounts for Obama White House hit by account takeover attack
IncidentAbout this happening: The **Instagram** accounts for the **Obama White House** and the **Chief Master Sergeant of the U.S. Space Force** were briefly **defaced** after attackers abused **Meta’s AI supp...
Timeline
-
17.12.2025 21:14 2 articles · 6mo ago
GhostPairing WhatsApp account-hijacking campaign first spotted in Czechia
Initial DisclosureGen Digital describes GhostPairing as a WhatsApp account-hijacking campaign that abuses WhatsApp’s legitimate device-linking feature and pairing codes to take over WhatsApp user accounts without needing authentication. The lure uses a fake Facebook verification page on typosquatted or similar-looking domains, and the campaign was first spotted in Czechia while retaining the ability to spread to other regions through compromised accounts; once a victim links the attacker’s browser, the attacker can read conversation history and shared media and may use the account for impersonation or fraud.
Show sources
- WhatsApp device linking abused in account hijacking attacks — www.bleepingcomputer.com — 17.12.2025 21:14
- WhatsApp device linking abused in account hijacking attacks — www.bleepingcomputer.com — 17.12.2025 21:14