Introduction

India’s Ministry of Electronics and Information Technology (MeitY) has issued a public cybersecurity advisory alerting citizens about a sophisticated cyber campaign dubbed GhostPairing, which is actively being used to hijack WhatsApp accounts. The campaign leverages social engineering techniques combined with abuse of WhatsApp’s legitimate device-linking feature, allowing attackers to gain complete access to user accounts without stealing passwords or performing SIM swap attacks.

Background and Context

WhatsApp’s multi-device or device-linking functionality is designed to allow users to access their accounts across multiple devices by pairing them through a verification code. While this feature improves usability, MeitY has cautioned that threat actors are now exploiting gaps in user awareness around this process, rather than technical vulnerabilities in WhatsApp’s core infrastructure.

The GhostPairing campaign relies primarily on deception and trust exploitation, making it difficult for users to immediately recognize the attack.

Technical Details of the GhostPairing Campaign

According to MeitY’s advisory, the attack chain typically unfolds as follows:

• Victims receive a message from a known or trusted contact, often reading something like “Hi, check this photo.”
• The message includes a malicious link that uses a Facebook-style preview to appear legitimate and convincing.
• Clicking the link redirects the victim to an external webpage that prompts them to enter their phone number under the guise of verification.
• Behind the scenes, attackers initiate WhatsApp’s device-linking process and use the generated pairing code to link their own device to the victim’s account.
• Once linked, attackers gain full access to chats, contacts, and ongoing conversations without triggering traditional security warnings.

Crucially, this method does not require OTP interception, password compromise, or SIM swapping, making it both stealthy and effective.

Impact and Scope

MeitY highlighted that successful exploitation of GhostPairing grants attackers unrestricted access to WhatsApp accounts. This can result in:

• Unauthorized reading of private messages
• Impersonation of victims to scam contacts
• Further spread of malicious links
• Potential financial fraud and identity misuse

Given WhatsApp’s widespread use in India for personal, professional, and business communication, the potential impact is significant.

Government Advisory and Mitigation Measures

The Ministry has urged citizens to adopt the following preventive measures:

• Do not click on suspicious or unexpected links, even if they appear to come from known contacts.
• Never enter your phone number or verification details on external or untrusted websites.
• Regularly review the “Linked Devices” section in WhatsApp settings and immediately remove any unfamiliar devices.
• Stay alert to unusual activity, such as messages marked as read that you did not open or messages sent without your knowledge.

Expert Commentary

Cybersecurity experts note that GhostPairing is a classic example of social engineering-driven attacks evolving to exploit trusted platform features. Rather than attacking infrastructure, threat actors are targeting user behavior, underscoring the importance of digital awareness alongside technical safeguards.

Outlook

As messaging platforms continue to expand cross-device capabilities, similar abuse-driven campaigns are likely to increase. Continuous user education, clearer in-app warnings, and stronger verification prompts around device linking could play a critical role in reducing such risks. MeitY’s advisory serves as an early warning aimed at limiting the spread and effectiveness of GhostPairing across the country.

References and Source Attribution

• Advisory issued by the Ministry of Electronics and Information Technology (MeitY)
• Public cybersecurity awareness communications related to WhatsApp account security