In recent months, dozens of WhatsApp accounts have been compromised in Italy through an insidious and disturbing technique, documented by Antonio De Bortoli, an IT technician specialized in computer forensics, whose analyzes complement those of the Forenser team and the expert Paolo Da Checco, converging on a worrying picture. An attack defined as “zero click”: a type of intrusion that affects the victim’s device without the victim performing any suspicious action. No phishing, no malware, no social engineering. The account is silently compromised, and the victim almost always only finds out when friends and acquaintances start responding to requests for money that they never sent. The underlying technical mechanism has been partially clarified by experts, but the entry point of the attack remains, to date, completely unknown. In any case, let’s see how the attack works, who it hits and, above all, what measures are recommended by experts to defend oneself.
When the attack leaves no traces
We are used to thinking that a cyber attack always requires an error on the part of the victim: a click on a malicious link, a hastily downloaded attachment, a code shared by mistake. The recent investigations conducted by the Forenser team – a forensic IT studio directed by Paolo Dal Checco – and by the forensic IT technician Antonio De Bortoli demonstrate the existence of attacks defined as “zero click”, capable of violating a profile without the victim taking any action.
It all started with a series of reports arriving within the same day: users who discovered, from the reply messages from their contacts, that they had apparently asked for bank transfers. The most disconcerting fact is that in the “Connected devices” section of WhatsApp there was no extraneous access. Yet it was clear that someone was writing in their name.
Who’s in the crosshairs: iPhone with iOS 16
By comparing the different cases, the Forenser team identified a pattern common to all: the affected devices were almost exclusively iPhones – various models from 8 to 14, including the X, XR, XS, 11, SE, 12 and 13 variants – on which an obsolete version of the operating system was installed: iOS 16.
The research led to the identification of two vulnerabilities: CVE-2025-43300, related to the way iOS 16 processes images through a system library, and CVE-2025-55177, a flaw in WhatsApp for iOS and macOS that could allow parsing of content from arbitrary URLs via improperly authorized sync messages. The chain of two flaws enabled a zero-click attack in which the victim does not have to take any action to be compromised.
How the ghost session works
Under normal conditions, WhatsApp allows you to pair up to four secondary devices with a primary smartphone. In these cases, however, the intrusion does not occur through a visible additional device: the attacker manages to start a second parallel primary session.
Analyzing the forensic logs of the affected devices, an anomalous and continuous sequence of “resync” events emerged, as if the application was constantly renegotiating the session with the WhatsApp servers. This is not normal: it happens when someone else tries to keep their session active on the same account in parallel.
The result is a race condition, which is a continuous conflict in which two processes compete for the same resource. The WhatsApp server recognizes two valid connections and keeps only one active at a time, switching account control between the victim’s phone and the attacker’s phone every few seconds. If a message is sent during the window in which the attacker has control, the chat does not appear on the victim’s phone: it remains completely invisible.
Foreign VPN and automatic messages
Investigations confirmed that at least one of the compromised accounts already had two-step verification enabled before the intrusion, demonstrating that this protection measure, while useful, is not sufficient to combat all attack scenarios.
The analysis of network traffic revealed the use of a VPN located in Hong Kong. Another revealing detail: the responses sent to contacts were not written by a human, but handled by an algorithm with predefined responses. The system, in fact, was not able to maintain the logical thread of the conversation as soon as the interlocutor went off the pre-established tracks.
How to understand if your account is compromised
Identifying the exact entry vector remains complex, since no traces of malicious files or obvious anomalies in the system logs were found on the phones examined. However, there are three empirical tests that can provide useful indications.
- “Connected devices” section empty. If the list is completely clean but contacts are receiving unusual communications on your behalf, a parallel session may be active.
- Repeated error on WhatsApp Web. If when trying to connect WhatsApp Web a connection error systematically appears despite the network being stable, it is likely that the stream is disputed on the server side.
- The airplane mode test. By activating airplane mode, if a contact sees the double received tick appear on a message sent at that moment, it means that someone else is receiving it instead of you.
What to do to protect yourself (and stop the attack)
Let’s now move on to the measures to take to protect yourself. The most effective countermeasure is certainly to update iOS, taking into account that versions prior to 16.7.12 are vulnerable. Forenser also recommends turning on iOS Isolation Mode (in Settings > Privacy & Security > Isolation Mode) to reduce your attack surface. While updating or reinstalling WhatsApp with a new authentication is effective in interrupting any unauthorized session.
