A lot of the cybersecurity neighborhood was dissatisfied to study on Thursday {that a} researcher scheduled to reveal a $1 million WhatsApp exploit on the Pwn2Own hacking contest had withdrawn from the occasion, however it seems that some have accurately speculated concerning the exploit’s technical viability.
A complete of greater than $1 million was paid out to the researchers who took half within the Pwn2Own Eire 2025 contest organized this week by Pattern Micro’s Zero Day Initiative (ZDI). Bounties ranging between a couple of thousand {dollars} and $100,000 had been awarded to white hat hackers who publicly demonstrated exploits in opposition to printers, routers, NAS gadgets, smartphones, and sensible house methods.
On Thursday, a researcher named Eugene (3ugen3) from a staff known as Crew Z3 was scheduled to try to reveal a $1 million zero-click distant code execution exploit in opposition to WhatsApp, however the public demonstration didn’t happen.
ZDI initially stated there was a delay resulting from “journey issues” and later introduced that the researcher had withdrawn from the competitors, citing issues that the exploit was not sufficiently ready for a public demonstration.
Nevertheless, ZDI stated on Thursday night that the researcher had nonetheless agreed to privately disclose his findings.
“Crew Z3 is disclosing their findings to ZDI analysts to do an preliminary evaluation earlier than handing it over to Meta engineers,” stated Dustin Childs, head of risk consciousness at ZDI.
The chain of occasions led to wide-ranging disappointment and hypothesis throughout the safety trade concerning the technical viability of the purported WhatsApp exploit.
Eugene, who seems to be from China, confirmed to SecurityWeek the next morning that he determined with ZDI and Meta that every thing can be saved non-public, partly additionally to guard his id from the general public. The researcher stated he had signed an NDA that stops him from sharing any particulars.Commercial. Scroll to proceed studying.
Nevertheless, WhatsApp advised SecurityWeek it’s reviewing two vulnerabilities rated ‘low danger’, none of them being helpful for attaining arbitrary code execution.
“We’re dissatisfied that Crew Z3 withdrew from Pwn2Own yesterday as a result of they didn’t have a viable exploit, however we had been involved with ZDI and Crew Z3 to know their analysis so we are able to triage the low-risk bugs we acquired,” a WhatsApp spokesperson stated.
“As at all times, we stand able to obtain legitimate analysis from the neighborhood by means of our bug bounty program and are grateful to safety researchers and Pwn2Own for ongoing collaboration,” the spokesperson added.
Associated: Hackers Earn Over $520,000 on First Day of Pwn2Own Eire 2025
Associated: $4.5 Million Supplied in New Cloud Hacking Competitors
Associated: Over $3 Million in Prizes Supplied at Pwn2Own Automotive 2026
