$1 million WhatsApp hack at Pwn2Own Ireland confirmed.
SOPA Images/LightRocket via Getty Images
October 23 should stick in the memory of smartphone users for some time to come. This is the day that the Samsung Galaxy S25 was hacked, including gaining access to the camera and location tracking. It was also the day that the information security world got its collective panties in a bunch as the hype built around a hacker who had, supposedly, uncovered a zero-click, WhatsApp Messenger zero-day vulnerability and was going to demonstrate the exploit and win a record-breaking $1 million bounty. Except the latter never happened. First, we were told that a flight delay meant the exploit demo would be pushed back later in the day, and then that it had been withdrawn. Now, the mystery has deepened as the hacker refuses to comment and the Pwn2Own Ireland hacking event organizer, Trend Micro ZD, has said it is facilitating a “coordinated disclosure to Meta” instead. Here’s everything we know so far.
ForbesAct Now — Google Issues New Emergency Update For 3 Billion Chrome UsersBy Davey Winder The $1 Million WhatsApp Messenger Hack Mystery
As I have said many times before, hacking is not a crime; criminal hacking is. If you want to understand what I mean by that, look no further than the Pwn2Own event that wraps up on October 23 in Ireland. It is here that some of the world’s hacking elite gather to compete for, in the case of 2025, a prize fund of $2 million in total, by discovering and exploiting zero-day vulnerabilities in popular hardware and software products, with the full blessing of the vendors concerned. Pwn2Own hackers are the good folk, finding zero-day vulnerabilities, proving them by way of an exploit under timed competition conditions, and then handing over everything they have got to the vendor.
As the final day of the Pwn2Own Ireland 2025 hacking event enters its final phase, the biggest single reward ever offered by the organizers, $1 million, was up for grabs by a hacker known only as ‘Eugene’ from Team Z3. This would be the Messenger holy grail hack, a successful zero-day, zero-click, remote code execution hack targeting WhatsApp.
However, it never happened. While hackers, security researchers, the information security industry, and Meta itself waited for the exploit to be demonstrated, news arrived that the attempt had been canceled.
ForbesSamsung Galaxy S25 Hack Confirmed — What You Need To KnowBy Davey WinderWhatsApp Hack: Meta Remains Interested In Receiving This Research
“Team Z3 has withdrawn their WhatsApp entry from Pwn2Own as they did not feel their research was ready to publicly demonstrate,” Dustin Childs, head of threat awareness at Trend Micro ZDI, told me. Make of that what you will. Some interested onlookers have taken to social media to suggest it means there never was an actual exploit in the first place, but the plot thickened as Childs continued: “Meta remains interested in receiving this research,” he said, adding that “Team Z3 is disclosing their findings to ZDI analysts to do an initial assessment before handing it over to Meta engineers. While we are disappointed that we don’t get to publicly show the demo on the Pwn2Own stage, we’re happy to facilitate the coordinated disclosure to Meta so they have the opportunity to address issues should they prove valid.”
I have approached Meta for a comment, but meanwhile, the hacker involved told Security Week that it had been “decided to keep everything private between Meta, ZDI and myself,” concluding with “no comments.”
I will update this article should I hear anything more from Meta or Trend Micro ZDI regarding the mystery WhatsApp zero-click exploit.
ForbesUpdate Microsoft Windows Server, 10 And 11 Now — Attacks UnderwayBy Davey Winder