Much of the cybersecurity community was disappointed to learn on Thursday that a researcher scheduled to demonstrate a $1 million WhatsApp exploit at the Pwn2Own hacking contest had withdrawn from the event, but it appears that some have correctly speculated regarding the exploit’s technical viability.
A total of more than $1 million was paid out to the researchers who took part in the Pwn2Own Ireland 2025 contest organized this week by Trend Micro’s Zero Day Initiative (ZDI). Bounties ranging between a few thousand dollars and $100,000 were awarded to white hat hackers who publicly demonstrated exploits against printers, routers, NAS devices, smartphones, and smart home systems.
On Thursday, a researcher named Eugene (3ugen3) from a team called Team Z3 was scheduled to attempt to demonstrate a $1 million zero-click remote code execution exploit against WhatsApp, but the public demonstration did not take place.
ZDI initially said there was a delay due to “travel complications” and later announced that the researcher had withdrawn from the competition, citing concerns that the exploit was not sufficiently prepared for a public demonstration.
However, ZDI said on Thursday evening that the researcher had still agreed to privately disclose his findings.
“Team Z3 is disclosing their findings to ZDI analysts to do an initial assessment before handing it over to Meta engineers,” said Dustin Childs, head of threat awareness at ZDI.
The chain of events led to wide-ranging disappointment and speculation within the security industry regarding the technical viability of the purported WhatsApp exploit.
Eugene, who appears to be from China, confirmed to SecurityWeek the following morning that he decided with ZDI and Meta that everything would be kept private, in part also to protect his identity from the public. The researcher said he had signed an NDA that prevents him from sharing any details.
However, WhatsApp told SecurityWeek it is reviewing two vulnerabilities rated ‘low risk’, none of them being useful for achieving arbitrary code execution.
“We’re disappointed that Team Z3 withdrew from Pwn2Own yesterday because they didn’t have a viable exploit, but we were in contact with ZDI and Team Z3 to understand their research so we can triage the low-risk bugs we received,” a WhatsApp spokesperson said.
“As always, we stand ready to receive valid research from the community through our bug bounty program and are grateful to security researchers and Pwn2Own for ongoing collaboration,” the spokesperson added.
Related: Hackers Earn Over $520,000 on First Day of Pwn2Own Ireland 2025
Related: $4.5 Million Offered in New Cloud Hacking Competition
Related: Over $3 Million in Prizes Offered at Pwn2Own Automotive 2026
