- Cyber Syrup
- Posts
- Researcher Withdraws $1 Million WhatsApp Exploit from Pwn2Own 2025
Researcher Withdraws $1 Million WhatsApp Exploit from Pwn2Own 2025
The cybersecurity community was abuzz this week after a much-anticipated $1 million WhatsApp exploit demonstration was withdrawn from the Pwn2Own Ireland 2025 competition
In partnership with
CYBER SYRUP
Delivering the sweetest insights on cybersecurity.
The Gold standard for AI news
AI keeps coming up at work, but you still don't get it?
That's exactly why 1M+ professionals working at Google, Meta, and OpenAI read Superhuman AI daily.
Here's what you get:
Daily AI news that matters for your career - Filtered from 1000s of sources so you know what affects your industry.
Step-by-step tutorials you can use immediately - Real prompts and workflows that solve actual business problems.
New AI tools tested and reviewed - We try everything to deliver tools that drive real results.
All in just 3 minutes a day
Researcher Withdraws $1 Million WhatsApp Exploit from Pwn2Own 2025
The cybersecurity community was abuzz this week after a much-anticipated $1 million WhatsApp exploit demonstration was withdrawn from the Pwn2Own Ireland 2025 competition. The event, hosted by Trend Micro’s Zero Day Initiative (ZDI), is one of the world’s premier hacking contests, where researchers publicly demonstrate novel exploits to responsibly disclose vulnerabilities under controlled conditions.
While disappointment spread quickly following the withdrawal, subsequent updates revealed that the exploit’s technical viability may not have lived up to its initial hype.
The Pwn2Own Event and the $1 Million Bounty
Pwn2Own is known for its high-stakes challenges, offering large financial rewards for practical, reproducible demonstrations of software and hardware vulnerabilities.
This year’s event saw over $1 million in total payouts, with bounties ranging from a few thousand dollars to six-figure prizes for successful exploits against routers, NAS devices, smartphones, smart home systems, and other connected technologies.
Among these, the $1 million WhatsApp exploit—described as a potential zero-click remote code execution (RCE) vulnerability—was the most anticipated. The researcher behind it, Eugene (3ugen3) from Team Z3, was scheduled to showcase the exploit on Thursday.
However, shortly before the presentation, ZDI announced a delay due to travel complications, which was later clarified as a full withdrawal.
Behind the Withdrawal
According to ZDI’s head of threat awareness, Dustin Childs, the researcher ultimately decided not to perform the public demonstration, citing insufficient readiness for such a high-profile exploit showcase.
“Team Z3 is disclosing their findings to ZDI analysts to do an initial assessment before handing it over to Meta engineers,” Childs confirmed.
The decision raised questions and speculation across the infosec community about whether the exploit was technically sound or had been overstated in its potential.
Statements from the Researcher and Meta
Eugene later confirmed to SecurityWeek that he had reached an agreement with both ZDI and Meta (WhatsApp’s parent company) to keep the research private. He also noted that a non-disclosure agreement (NDA) prevents him from releasing further details, citing privacy and safety concerns.
For its part, WhatsApp stated that only two low-risk vulnerabilities were identified, neither capable of arbitrary code execution.
“We’re disappointed that Team Z3 withdrew from Pwn2Own because they didn’t have a viable exploit,” a WhatsApp spokesperson said. “We remain committed to working with researchers through our bug bounty program.”
Broader Implications
The event underscores the growing complexity of mobile messaging platforms and the scrutiny they attract from both offensive and defensive security researchers. While the $1 million WhatsApp exploit failed to materialize publicly, the episode highlights the value of responsible disclosure, the importance of verification before publication, and the continued collaboration between researchers and vendors in strengthening global cybersecurity.