WhatsApp Encryption Secures Servers, But Exposes Users to Client-Side Attacks

WhatsApp’s strong end-to-end encryption has significantly boosted user privacy, yet it has also shifted the battlefield for hackers toward user devices, according to researchers at Black Hat Asia 2026.

Tal Be’ery, co-founder and CTO of Zengo, highlighted that with over three billion users, WhatsApp remains a prime target for cybercriminals seeking valuable data. Since implementing the Signal protocol in 2016, WhatsApp’s servers function only as a “dumb pipe,” unable to read message content or detect threats effectively.

This architecture protects the company’s infrastructure from mass surveillance but leaves users vulnerable. Attackers now focus on client-side exploits where messages are decrypted and stored. Metadata such as who messaged whom, delivery receipts, online status, and linked devices provides valuable intelligence for stalkers and threat actors.

Be’ery explained that WhatsApp’s multi-device feature further increases risks by enabling device enumeration and pinpointing. Hackers can identify specific devices linked to an account and launch targeted zero-click spyware attacks without user interaction.

Recent incidents, including a campaign targeting Italian journalists and activists with Paragon Solutions spyware, demonstrate the growing sophistication of these threats. Silent pings and rich media files have become common delivery methods for exploits.

To counter these risks, Be’ery proposed practical solutions like a “Lockdown Mode” that allows messages only from known contacts, restricted requests from strangers, and hiding linked devices from senders to prevent reconnaissance.

While end-to-end encryption remains essential, Be’ery stressed that WhatsApp’s 2016 security model needs urgent evolution in 2026 to better protect its massive global user base from evolving client-side threats.