In the last few months dozens of WhatsApp accounts have been compromised in Italy through an insidious and disturbing technique, documented by Antonio De BortoliIT technician specialized in computer forensics, whose analyzes complement those of the team Forensic and the expert Paolo Da Checcoconverging on a worrying picture. A definite attack “zero clicks”: a type of intrusion that affects the victim’s device without the victim taking any suspicious action. No phishing, no malware, no social engineering. The account is silently compromised, and the victim almost always only finds out when friends and acquaintances start responding to requests for money that they never sent. The underlying technical mechanism has been partially clarified by experts, but the entry point of the attack remains, to date, completely unknown. In any case, let’s see how the attack works, who it hits and, above all, what measures are recommended by experts to defend oneself.
When the attack leaves no traces
We are used to thinking that a cyber attack always requires an error on the part of the victim: a click on a malicious link, a hastily downloaded attachment, a code shared by mistake. The recent investigations conducted by the team of Forensic – forensic IT studio directed by Paolo Dal Checco – and by the forensic IT technician Antonio De Bortoli instead they demonstrate the existence of defined attacks “zero clicks”capable of violating a profile without the victim taking any action.
It all started with a series of reports arriving within the same day: users who discovered, from the reply messages from their contacts, that they had apparently asked for bank transfers. The most disconcerting fact is that in the section “Connected devices” of WhatsApp did not show any extraneous access. Yet it was clear that someone was writing in their name.
Who’s in the crosshairs: iPhone with iOS 16
By comparing the different cases, the Forenser team identified a pattern common to all: the affected devices were almost exclusively iPhones – various models from 8 to 14, including the X, XR, XS, 11, SE, 12 and 13 variants – on which an obsolete version of the operating system was installed: iOS 16.
The research led to the identification of two vulnerabilities: the CVE-2025-43300related to the way iOS 16 processes images through a system library, and the CVE-2025-55177a flaw in WhatsApp for iOS and macOS that could allow parsing of content from arbitrary URLs via improperly authorized sync messages. The chain of two flaws enabled a zero-click attack in which the victim does not have to take any action to be compromised.
How the ghost session works
Under normal conditions, WhatsApp allows you to Pair up to four secondary devices with a primary smartphone. In these cases, however, the intrusion does not occur through an additional visible device: the attacker manages to start a second parallel primary session.
By analyzing the forensic logs of the affected devices, one emerged anomalous and continuous sequence of “resync” eventsas if the application was constantly renegotiating the session with the WhatsApp servers. This is not normal: it happens when someone else tries to keep their session active on the same account in parallel.
The result is one race conditionthat is, a continuous conflict in which two processes compete for the same resource. The WhatsApp server recognizes two valid connections and keeps only one active at a time, switching account control between the victim’s phone and the attacker’s phone every few seconds. If a message is sent during the window in which the attacker has control, the chat does not appear on the victim’s phone: it remains completely invisible.
Foreign VPN and automatic messages
Investigations confirmed that at least one of the compromised accounts already had the two-step verification active before intrusion: this shows that this protection measure, although useful, it is not sufficient to counter all attack scenarios.
From the analysis of network traffic, theusing a VPN located in Hong Kong. Another revealing detail: the replies sent to contacts were not written by a human, but managed by a algorithm with predefined answers. The system, in fact, was not able to maintain the logical thread of the conversation as soon as the interlocutor went off the pre-established tracks.
How to understand if your account is compromised
Identifying the exact entry vector remains complex, since no traces of malicious files or obvious anomalies in the system logs were found on the phones examined. However, they exist three empirical tests which can provide useful information.
- “Connected devices” section empty. If the list is completely clean but contacts are receiving unusual communications on your behalf, a parallel session may be active.
- Repeated error on WhatsApp Web. If when trying to connect WhatsApp Web a connection error systematically appears even though the network is stable, it is likely that the stream is disputed on the server side.
- The airplane mode test. By activating airplane mode, if a contact sees the double received tick appear on a message sent at that moment, it means that someone else is receiving it instead of you.
What to do to protect yourself (and stop the attack)
Let’s move on, now, to measures to take to protect yourself. The most effective countermeasure is certainly that of update iOStaking into account that versions prior to 16.7.12 are vulnerable. Forenser also recommends activate isolation mode of iOS (in Settings > Privacy & Security > Isolation Mode) to reduce the attack surface. While update or reinstall WhatsApp with new authentication is effective in interrupting any unauthorized session.
