In the final weeks of 2025, cybersecurity agencies like CERT-In issued a high-priority warning regarding a sophisticated campaign known as GhostPairing. While the headlines are focused on WhatsApp, the reality is much broader. This isn’t just a “WhatsApp problem”, it is a fundamental shift in how hackers are targeting our digital lives.
Instead of trying to “crack” your encryption, hackers are now using social engineering to trick you into inviting them directly into your account.
How the “GhostPairing” Attack Works
The attack exploits Companion Mode, a feature designed for convenience that allows you to use your account on multiple devices (like a laptop or tablet). The hacker doesn’t need to “break” into your phone; they just need you to “pair” their device to your account by mistake.
You receive a message from a “trusted” contact (whose account is likely already hacked) saying: “Hey, check out this photo of you!” or “Your photos are in this website.”. Clicking the link takes you to a professional-looking page that mimics Facebook or a “Photo Viewer.” It asks for your phone number to “verify” your identity. Behind the scenes, the hacker enters your number into a real WhatsApp “Link Device” request. WhatsApp then sends a 6 or 8-digit pairing code directly to your phone. The fake website tells you to enter that code to “see the photo.” The moment you do, the hacker’s browser becomes a linked device on your account.
It’s Not Just WhatsApp: The Telegram Connection
It is a dangerous mistake to think this only happens on one app. Telegram users are equally at risk. Telegram’s “Link Desktop Device” or “QR Code” login works on the exact same principle. Hackers create fake Telegram Web login pages that look identical to the real thing.
If you provide your phone number and the subsequent SMS code to a third-party site, you are handing over a “Master Key” to your entire chat history, including your Saved Messages, files, and private photos. Whether it’s WhatsApp, Telegram, or Signal, the vulnerability isn’t in the code; it’s in the trust we place in the links we click.
The Gold Standard of Digital Defense
To stay safe in 2026 and beyond, we need to move past “being careful” and adopt a strict policy of Zero Trust. Here is the best practice everyone should follow:
The “Emergency Only” Link Policy: Treat every link sent via DM as a potential threat. Never click a link, even from your mother, your boss, or your best friend, unless you were expecting it or it is a verified emergency.
If a friend sends you a link out of the blue, stop. Do not click. Pick up the phone and call them, or send a separate message asking, “Did you just send me a link?” If they say no, their account has been compromised, and you just saved yourself from a total digital takeover. Confirmation is the only thing that stands between your privacy and a hacker’s prying eyes. Remember: A legitimate service will never ask you to enter a pairing code or a 2FA PIN on a random website to “verify” your identity.
Why This is a “Silent” Nightmare
Once a hacker is linked, they aren’t kicked out. Because they are a “linked device,” they act as a trusted session. They can:
- Read your chats in real-time.
- Download your private photos, videos, and voice notes.
- Message your contacts pretending to be you (which is how the scam spreads to your friends).
- Stay logged in even if you restart your phone.
How to Audit Your Privacy Right Now
If you have clicked any suspicious links recently, perform these “Digital Health Checks” immediately:
- WhatsApp Audit: Go to Settings > Linked Devices. Log out of any session you don’t recognize (e.g., “Chrome on Windows” in a city you’ve never visited).
- Telegram Audit: Go to Settings > Devices. Tap “Terminate all other sessions” to kick out any potential “ghost” users.
- Enable 2FA: For both apps, go to Account Settings > Two-Step Verification and set up a PIN. This ensures that even if a hacker gets a pairing code, they still can’t access your account settings without your secret PIN.
In an era where our entire lives are stored in our chats, a few seconds of skepticism is the best antivirus you can have. Don’t open the door for them.