Overview
- German IT security authority BSI issued a public advisory confirming criminals abuse WhatsApp’s Linked Devices function to hijack accounts, with no platform fix or incident figures reported.
- Victims are lured via convincing phishing messages—often from compromised contacts or impersonating platforms like Facebook—to fake sites that request identity or phone details.
- Attackers initiate “link device via phone number,” then obtain the eight‑digit pairing code or deploy fake QR codes to bind a new device to the victim’s account.
- Once paired, attackers can read messages, media and contacts while WhatsApp appears to work normally for the victim, enabling prolonged, unnoticed access and further phishing or data theft.
- BSI urges users to scrutinize unexpected messages, avoid entering data on unknown websites, never scan untrusted QR codes for pairing, and enable WhatsApp’s two‑step verification.