A total of $1,024,750 has been paid out at the Pwn2Own Ireland 2025 hacking contest organized by Trend Micro’s Zero Day Initiative (ZDI), but the event has been overshadowed by the last-minute withdrawal of a researcher who was scheduled to demonstrate a WhatsApp exploit worth $1 million.
The highest reward at Pwn2Own Ireland 2025, $100,000, was paid out for an exploit chain targeting the QNAP Qhora-322 router and the QNAP TS-453E NAS device.
Two Samsung Galaxy S25 exploit chains were each rewarded with $50,000, and the same amount was earned for vulnerabilities in Synology ActiveProtect Appliance DP320 and the Sonos Era 300 smart speaker.
Participants received up to $40,000 for hacking Ubiquiti cameras, QNAP and Synology NAS devices, Lexmark and Canon printers, and smart home systems such as Phillips Hue Bridge, Amazon Smart Plug, and Home Automation Green.
A total of 73 previously unknown vulnerabilities were disclosed at Pwn2Own Ireland 2025.
A researcher named Eugene (3ugen3) of Team Z3 was scheduled to demonstrate a $1 million zero-click remote code execution exploit against WhatsApp on Thursday.
However, the demonstration did not take place. ZDI initially said there was a delay due to “travel complications and delayed flights”, but noted that the researcher would still submit his exploit. ZDI later announced that the researcher withdrew from the competition, citing concerns that the exploit was not sufficiently prepared for a public demonstration.
“Team Z3 has withdrawn their WhatsApp entry from Pwn2Own as they did not feel their research was ready to publicly demonstrate,” said Dustin Childs, head of threat awareness at ZDI.
“However, Meta remains interested in receiving this research. Team Z3 is disclosing their findings to ZDI analysts to do an initial assessment before handing it over to Meta engineers,” Childs added. “While we are disappointed that we don’t get to publicly show the demo on the Pwn2Own stage, we’re happy to facilitate the coordinated disclosure to Meta so they have the opportunity to address issues should they prove valid.”
No updates have been shared on ZDI’s assessment, whether any zero-day exploit information has been shared with Meta, and whether the social media giant paid any bounty for the WhatsApp hack.
The delay, the withdrawal, and the lack of public disclosure has led to wide-ranging disappointment and speculation within the security industry regarding the technical viability of the purported exploit.
Contacted by SecurityWeek, Eugene, who appears to be from China, described Pwn2Own as an “amazing event”. The researcher said, “We decided to keep everything private between Meta, ZDI and myself. No comments,” adding that he did not want his true identity revealed to the public.
Eugene told SecurityWeek that he signed an NDA that prevents him from sharing any details.
SecurityWeek has also reached out for comment to ZDI and WhatsApp and will update this article if they respond.
UPDATE: A WhatsApp spokesperson has provided the following statement to SecurityWeek. A follow-up article with additional information is available here.
“We’re disappointed that Team Z3 withdrew from Pwn2Own yesterday because they didn’t have a viable exploit, but we were in contact with ZDI and Team Z3 to understand their research so we can triage the low-risk bugs we received. As always, we stand ready to receive valid research from the community through our bug bounty program and are grateful to security researchers and Pwn2Own for ongoing collaboration.”
Related: $4.5 Million Offered in New Cloud Hacking Competition
Related: Over $3 Million in Prizes Offered at Pwn2Own Automotive 2026
Related: VMware Flaws That Earned Hackers $340,000 at Pwn2Own Patched
