Threat actors are exploiting WhatsApp's legitimate device-linking feature in a scheme called GhostPairing, allowing them to hijack accounts without needing authentication. Victims receive a message from a known contact with a link that appears to lead to a photo. The link actually directs them to a fake Facebook page, convincing them to log in for verification. Once they enter their phone number, the attacker initiates the device-linking process, generating a pairing code displayed on the fake page. When victims input this code, they unknowingly grant the attacker full access to their WhatsApp account. Once linked, the attacker can read messages in real time, access shared media, and send messages to other contacts, potentially spreading the scam further. Gen Digital identified this campaign in Czechia but warns that it can easily spread to other regions, using compromised accounts to target new victims. Users are often unaware that a second device has been connected to their account, making the attack particularly insidious. To detect a compromise, users need to check the Linked Devices section in their WhatsApp settings. Gen Digital advises users to be cautious with messages that prompt quick action and to verify the identity of the sender. Activating two-factor authentication can provide an additional layer of security. This attack method isn’t unique to WhatsApp; similar tactics have been used against other messaging apps like Signal, particularly by Russian threat actors.