Ghostpairing: How Malicious Actors Can Gain Access to the WhatsApp Accounts of Business Leaders and Other High-Profile Individuals
Table of Contents

Ghostpairing is a social engineering technique that enables malicious actors to gain access to their victims’ WhatsApp accounts without the victims’ knowledge
Are you aware of the information and documents you receive and send via WhatsApp? Many business owners, executives, political leaders, and professionals use this instant messaging app not only for personal use but also for business purposes.
Exchanging strategic information—such as business proposals or unannounced developments—or receiving documents like contracts, invoices, or client lists is becoming increasingly common. And malicious actors are well aware of this.
Gaining access to the WhatsApp conversations of individuals of interest has been a goal pursued by many malicious actors in recent years.
As a result of these efforts, campaigns employing a novel social engineering technique—Ghostpairing—have been detected in recent months.
Through Ghostpairing, attackers trick their victims into allowing them to link their WhatsApp accounts to attacker-controlled browsers. This means they can read conversations, download documents, listen to audio messages, and even take control of the accounts and send messages while impersonating the victims.
Next, we’ll explain what Ghostpairing is and how individuals of interest and their companies or institutions can counter this social engineering technique.
Social engineering, malware, exploiting Bluetooth vulnerabilities… Different methods for the same goal: Spying on the cell phones of individuals of interest
Cyber spying on business leaders and individuals of interest has gained prominence over the past five years, with a focus on cell phones. Why? Today, smartphones are practically an extension of our bodies.
If an ordinary person never parts with their phone and uses it to handle sensitive tasks such as making payments from their bank account or sharing information with coworkers, it’s almost impossible to see a business executive or manager without a phone in their hand. In a fast-paced world characterised by mobility and constant connectivity, the cell phone has become almost a reflection of our very soul.
Through what means do malicious actors attempt to spy on the cell phones of people of interest?
- Social engineering to obtain a vector for accessing devices.
- The use of malware, such as spyware, to persist on mobile phones and gain access to particularly sensitive applications, including banking apps, instant messaging apps like WhatsApp, and email clients.
- The exploitation of vulnerabilities related to the Bluetooth standard. For example, eavesdropping on conversations through weaknesses in wireless headphones or geolocating devices. That is why conducting Bluetooth security audits is essential to protect not only mobile phones but also all IoT devices that connect to them.
Ghostpairing represents an innovation in the field of social engineering, following in the footsteps of previous techniques such as WhatsApp account theft, which forces victims to provide the verification code to transfer a WhatsApp account from one phone to another.
What Is Ghostpairing?
Ghostpairing is a much more subtle technique, as the victim does not lose access to their account. This allows malicious actors to gain access to their victims’ WhatsApp accounts for days or even weeks.
As you may already know, many people don’t just use WhatsApp on their cell phones; they also access the app through their computer’s browser. This practice is particularly common in business and work settings, where people want to keep an eye on WhatsApp while working on a laptop or desktop computer.
Recognising this, WhatsApp allows users to link WhatsApp Web or its desktop app to an account that’s currently active on a mobile device. The process is very simple: just scan the QR code that appears in the browser using the app, or enter a code provided by the browser—from which you’re trying to use WhatsApp Web—into the mobile app.
How can malicious actors exploit this process through Ghostpairing?
- They send their victims WhatsApp messages containing a link. The message encourages the recipient to click on the link. For example, it claims the link leads to a photo in which the victim can see themselves.
- The link takes the victim to a page that appears to be part of the Meta ecosystem: Facebook, Instagram, WhatsApp…
- On this fake page, the victim is prompted to enter a code in their WhatsApp app or scan a QR code to access the photo. In this way, the victim themselves links their WhatsApp account to the browser or desktop app controlled by the malicious actor.
- The attacker can freely access the victim’s conversations without the victim being aware of it.

Why Can Ghostpairing Be Successful?
Ghostpairing combines several factors that contribute to the successful deception of victims:
- In many cases, malicious actors send fake messages from legitimate WhatsApp accounts to the contacts with whom those accounts regularly interact. In other words, this creates what is commonly referred to as a snowball effect. Attackers manage to take control of WhatsApp accounts and use them to spread their campaign. Since the message comes from the account of someone the victim trusts, the victim doesn’t suspect anything.
- Malicious actors use messages as simple—yet as effective—as “Find yourself in this photo.” We must not forget that the initial success of social media was built precisely on posting photos and tagging friends, family, or colleagues in them.
- Campaigns have also been detected in which malicious actors impersonate WhatsApp itself. They ask their victims to scan a QR code for app-related reasons. For example, to verify the user’s account or install a supposed security update.
- The fake pages where Ghostpairing is carried out are remarkably convincing. They look exactly like the Facebook or Instagram interfaces.
- If the attackers do not take any action on the accounts they have illegally linked, the victims do not suspect that their accounts have been compromised. This means the link can remain active long enough for attackers to access confidential information or steal documents.
Why is ghostpairing particularly problematic for companies and institutions?
As we’ve noted, ghostpairing is a malicious technique that leaves victims’ WhatsApp conversations wide open.
For the average person, WhatsApp chats do not contain information or documents that are particularly valuable to malicious actors.
But the same is not true for business owners, executives, professionals in positions of responsibility within companies, political leaders, high-level public officials, or other individuals of interest.
That is why Ghostpairing does not pose an individual threat; rather, companies and institutions must adapt their security strategies to counter this social engineering technique.
If information or documents shared by a key figure within an organisation fall into the wrong hands, the company or institution may suffer:
- Impersonation of individuals and organisations to commit scams against their WhatsApp contacts.
- Financial fraud.
- Extortion in exchange for not publishing the information, documents, photographs, videos, or audio recordings that have been collected.
- Public disclosure of confidential information or the sale of trade secrets to competitors.
- Theft of intellectual or industrial property.
- Legal consequences if the personal data of third parties—such as customers, partners, or suppliers—is disclosed.
How can Ghostpairing be detected?
If malicious actors use the accounts they have fraudulently linked to send messages, victims will easily notice that something is wrong.
However, if attackers act covertly and limit themselves to reading conversations, downloading shared files, or listening to sent and received audio messages, victims believe everything is functioning normally.
Therefore, to detect Ghostpairing campaigns, it is recommended that all citizens—but especially executives, political leaders, and other high-profile individuals—periodically check their linked devices on WhatsApp.
This is very simple to do. Basically, open the WhatsApp mobile app, tap the three dots on the right side of the screen, and select “Linked Devices.” This will display all active sessions linked to your WhatsApp account. If you detect a session that you did not open yourself, simply close it to stop the Ghostpairing attack.
In addition, in response to the growing use of Ghostpairing by malicious actors, WhatsApp has implemented a linked device alert feature that notifies users when a suspicious pairing attempt is detected, allowing them to approve or reject the pairing.

What Should Victims of Ghostpairing Do?
The Spanish National Cybersecurity Institute (INCIBE) recommends that victims of ghostpairing:
- Conduct a security audit of their phones to verify that no malware was downloaded or installed.
- Change all passwords that may have been disclosed in WhatsApp conversations.
- Notify all contacts with whom they have communicated since the account was fraudulently linked.
- If the WhatsApp account or the information stored in it has been used to commit fraud, gather all available evidence and file a report with the National Police or the Civil Guard.
Additionally, if the victim is a business owner, executive, or political leader, it is critical to immediately inform the organisation’s cybersecurity team so it can coordinate incident response measures to minimise impact and prevent malicious actors from persisting within the organisation’s technological infrastructure.
How Can Ghostpairing Be Prevented?
To address the threat posed by ghostpairing, organisations can:
- Develop cybersecurity best practices that include:
- Installing security updates released by the app.
- Limiting the use of WhatsApp as a tool for exchanging corporate information and documents.
- Implementing two-factor authentication to link devices on WhatsApp.
- Prohibiting clicking on suspicious links, even if sent by trusted accounts, without first verifying through another means that the link is legitimate.
- Requiring employees to immediately report any suspicious activity to the organisation’s cybersecurity team.
- Implementing secure BYOD (Bring Your Own Device) policies and using MDM software to enforce restrictions on mobile devices used for work purposes.
- Install EDR on corporate devices and on personal mobile phones used for work. This type of solution provides continuous detection and response to suspicious activity.
- Conduct social engineering tests to train and raise awareness among staff about the most innovative techniques used by malicious actors, such as Ghostpairing.
- Have a proactive incident response team capable of identifying the scope of the breach and orchestrating an effective response to expel malicious actors and limit the impact of attacks.