GhostPairing WhatsApp pairing-code account-hijacking campaign
Campaign
Summary
Hide ▲
Show ▼
GhostPairing is an active WhatsApp account-hijacking campaign that abuses the platform’s device-linking feature to take over accounts via pairing codes, creating a direct risk of impersonation and fraud. The operation was first spotted in Czechia and can spread to other regions as compromised accounts are reused to reach new targets. Once a victim links the attacker’s device, the attacker can read conversation history and shared media and send messages from the account. The campaign uses a deceptive Facebook-style lure and a legitimate pairing workflow to bypass the need for stolen passwords or other authentication bypasses.
Related Happenings
TrickMo C TikTok-lure campaign targeting banking and wallet users in France, Italy, and Austria
Campaign
First: 11.05.2026 18:15
Last: 11.05.2026 18:15
Sources 1
About this happening:
The **TrickMo** operators ran an active **TikTok-themed** campaign between **January and February 2026**, targeting **banking and wallet users** in **France, Italy and Austria**....
TrickMo C TikTok-lure campaign targeting banking and wallet users in France, Italy, and Austria
CampaignAbout this happening: The **TrickMo** operators ran an active **TikTok-themed** campaign between **January and February 2026**, targeting **banking and wallet users** in **France, Italy and Austria**....
AccountDumpling Google AppSheet Facebook phishing campaign
Campaign
First: 01.05.2026 21:09
Last: 01.05.2026 21:09
Sources 1
About this happening:
A **Vietnamese-linked** operation dubbed **AccountDumpling** is using **Google AppSheet** as a phishing relay to steal **Facebook** credentials, enabling account takeover at scale...
AccountDumpling Google AppSheet Facebook phishing campaign
CampaignAbout this happening: A **Vietnamese-linked** operation dubbed **AccountDumpling** is using **Google AppSheet** as a phishing relay to steal **Facebook** credentials, enabling account takeover at scale...
Unnamed high-profile Lebanese journalist hit by network compromise
Incident
First: 09.04.2026 13:45
Last: 09.04.2026 13:45
Sources 1
About this happening:
An **unnamed high-profile Lebanese journalist** had an **Apple account** successfully compromised in **2025**, creating unauthorized access to a personal and professional identity...
Unnamed high-profile Lebanese journalist hit by network compromise
IncidentAbout this happening: An **unnamed high-profile Lebanese journalist** had an **Apple account** successfully compromised in **2025**, creating unauthorized access to a personal and professional identity...
Signal and WhatsApp anti-phishing account-hardening guidance
Defensive Guidance
First: 21.03.2026 15:17
Last: 21.03.2026 15:17
Sources 1
About this happening:
A **UK National Cyber Security Centre (NCSC)** alert on **March 31** warned that **Russia-based actors** are increasing **targeted attacks** against **high-risk individuals** usin...
Signal and WhatsApp anti-phishing account-hardening guidance
Defensive GuidanceAbout this happening: A **UK National Cyber Security Centre (NCSC)** alert on **March 31** warned that **Russia-based actors** are increasing **targeted attacks** against **high-risk individuals** usin...
Meta rolls out anti-scam protections and AI scam detection across WhatsApp, Facebook, and Messenger
Security Tool/Service
First: 11.03.2026 15:29
Last: 11.03.2026 15:29
Sources 1
About this happening:
Meta is rolling out **anti-scam protections** across **WhatsApp, Facebook, and Messenger**, using warnings and AI detection to block scams before users engage. The updates target...
Meta rolls out anti-scam protections and AI scam detection across WhatsApp, Facebook, and Messenger
Security Tool/ServiceAbout this happening: Meta is rolling out **anti-scam protections** across **WhatsApp, Facebook, and Messenger**, using warnings and AI detection to block scams before users engage. The updates target...
Timeline
-
17.12.2025 21:14 2 articles · 5mo ago
GhostPairing WhatsApp account-hijacking campaign first spotted in Czechia
Initial DisclosureGen Digital describes GhostPairing as a WhatsApp account-hijacking campaign that abuses WhatsApp’s legitimate device-linking feature and pairing codes to take over WhatsApp user accounts without needing authentication. The lure uses a fake Facebook verification page on typosquatted or similar-looking domains, and the campaign was first spotted in Czechia while retaining the ability to spread to other regions through compromised accounts; once a victim links the attacker’s browser, the attacker can read conversation history and shared media and may use the account for impersonation or fraud.
Show sources
- WhatsApp device linking abused in account hijacking attacks — www.bleepingcomputer.com — 17.12.2025 21:14
- WhatsApp device linking abused in account hijacking attacks — www.bleepingcomputer.com — 17.12.2025 21:14