$1M WhatsApp Hack Flops — Only Low-Risk Bugs Disclosed to Meta After Pwn2Own Withdrawal

Oct 26 2025 · Views: 46,602

A high-profile WhatsApp hack that was expected to earn its researcher $1 million at the Pwn2Own Ireland 2025 competition ended in disappointment this week, after the demonstration was quietly withdrawn at the last moment. The researcher, known as Eugene (3ugen3) from Team Z3, cited technical readiness issues and confidentiality concerns before pulling the plug on the public demo.

Organized by Trend Micro’s Zero Day Initiative (ZDI), Pwn2Own Ireland distributed over $1 million in total prizes to ethical hackers who successfully exploited routers, NAS devices, and smart systems. But the event’s centerpiece — a claimed zero-click remote code execution exploit for WhatsApp — never materialized.

Withdrawn Before Demonstration

Originally slated for Thursday, Team Z3’s exploit was expected to showcase full device compromise through WhatsApp with no user interaction. Early speculation in cybersecurity circles suggested the vulnerability chain was unstable, and those rumors proved accurate. ZDI first attributed the cancellation to travel complications, but later confirmed the withdrawal was due to the exploit’s incomplete state.

“Team Z3 is disclosing their findings to ZDI analysts to do an initial assessment before handing it over to Meta engineers,” said Dustin Childs, head of threat awareness at ZDI. The research has since been shared privately with Meta under NDA.

Meta Confirms Only Low-Risk Bugs

Meta, the parent company of WhatsApp, confirmed that only two low-risk vulnerabilities were identified — neither capable of achieving arbitrary code execution. “We’re disappointed that Team Z3 withdrew from Pwn2Own yesterday because they didn’t have a viable exploit,” a WhatsApp spokesperson told SecurityWeek. “We are triaging the low-risk bugs we received.”

WhatsApp further stated that both vulnerabilities were minor and did not represent exploitable attack surfaces in real-world conditions. No user data or systems were compromised during testing.

Industry Reactions

The sudden cancellation triggered frustration across the cybersecurity and hacker-for-hire community. Many had speculated that the exploit could redefine attack surfaces in encrypted messaging platforms. Instead, the withdrawal underscored how rare stable zero-day exploits in apps like WhatsApp have become.

Eugene confirmed to SecurityWeek that he had agreed with ZDI and Meta to keep the findings confidential, in part to protect his identity. Under a non-disclosure agreement, he was unable to share any technical details about the vulnerabilities or the failed exploit chain.

Bug Bounty Reality

While some in the hacking scene expressed skepticism about the withdrawn exploit, Meta emphasized that valid vulnerability research remains critical. “We stand ready to receive valid research through our bug bounty program and are grateful to security researchers and Pwn2Own for ongoing collaboration,” the company said.

The incident serves as a reminder that while hackers-for-hire and independent exploit developers continue to push technical limits, the gulf between hype and deliverable results remains wide. In this case, a $1 million WhatsApp hack ultimately revealed little more than two minor flaws — but it succeeded in showing how competitive, and unpredictable, the modern vulnerability market has become.