WhatsApp’s promise of private, end-to-end encrypted chats is colliding with a harsher reality: the platform’s sheer scale has turned it into a high‑value target for surveillance tools that do not need to break encryption to cause serious harm. A new spying technique that can quietly track and profile accounts at global scale has pushed that risk into sharp focus, putting roughly three billion users in the crosshairs of anyone willing to weaponize it. The emerging picture is of a messaging giant whose core cryptography holds, while its surrounding infrastructure and features expose a vast attack surface that is only now being fully understood.
Instead of a single catastrophic breach, WhatsApp is facing a layered crisis in which enumeration flaws, metadata scraping, and zero‑click exploits combine into a powerful surveillance toolkit. I see the latest spying tool as the logical next step in this evolution: it automates what researchers have already shown is possible, turning obscure technical weaknesses into something that can be used to watch people at scale, often without leaving a trace.
The new spying tool that can watch “Three billion” users
The most alarming development is a tool built by a security expert that can silently monitor the activity patterns of WhatsApp accounts across the globe. According to reporting on the project, the expert demonstrated that roughly Three billion WhatsApp users could be tracked in this way, with the system logging when they come online, how frequently they connect, and how their patterns overlap with others. None of this requires reading message content, yet it can reveal relationships, routines, and even potential locations when cross‑referenced with other data. The developer has warned explicitly against misuse, but the proof of concept shows how easy it would be for a determined actor to adapt the technique.
What makes this tool so dangerous is that it exploits normal, user‑visible features that are hard to lock down without breaking the app’s basic functionality. Online status indicators, profile visibility, and contact discovery are all designed to make WhatsApp feel seamless, yet they also create a rich stream of metadata that a script can harvest at industrial scale. Because the spying system relies on public or semi‑public signals, it operates in a gray zone that traditional security monitoring may not catch, which is exactly why the expert behind it is urging WhatsApp to treat this as a systemic privacy flaw rather than a clever hack that can be ignored.
How a simple enumeration trick exposed billions of numbers
The spying tool lands on top of a separate but related weakness: the ease with which attackers can cycle through phone numbers and see which ones are tied to active WhatsApp accounts. Researchers showed that by repeating the same lookup trick “a few billion times” against the platform’s interface, they could identify valid accounts at scale and even pull associated details like profile photos and names. One investigation described how this simple enumeration flaw turned WhatsApp’s convenience features into a massive directory of personal data, with the reporting explicitly highlighting entities such as Nov and Repeat to underscore how the technique was tested and documented.
Another team focused on the platform’s API, identifying a data exposure that put 3.5 billion users at risk by allowing automated queries to reveal whether specific phone numbers were registered. That research, which again referenced Nov, showed how the API could be abused to build enormous lists of active accounts without triggering meaningful rate limits. The combination of these findings means that anyone with modest resources can first map out who is on WhatsApp, then feed those identities into a surveillance tool that tracks when and how those accounts are active, creating a powerful foundation for targeted phishing, harassment, or state‑level monitoring.
The “3.5 billion” enumeration flaw that proved the scale of the problem
The most concrete demonstration of this risk came when security researchers in Austria used an enumeration vulnerability to scrape data tied to more than 3.5 billion active WhatsApp users. Their work showed that the flaw was not just theoretical: in practice, it was possible to cycle through global phone ranges and log which numbers were linked to accounts, all without breaching WhatsApp’s servers or bypassing encryption. A detailed technical analysis later confirmed that Researchers could enumerate accounts at a rate of up to 600 million phone numbers per hour, a staggering throughput that turned a two‑day test into a global privacy event.
Follow‑up reporting by Edu and others emphasized that the vulnerability has since been patched, but the damage to user trust is harder to repair. One account described how a Two day exploit window was enough to open up 3.5 billion users to “myriad potential harms,” with journalist Connor Jones noting that the attack did not experience prohibitive rate limiting and was logged on a Wed in Nov at a specific UTC timestamp, details that underline how quietly the scraping could proceed. Even if WhatsApp has closed this particular hole, the episode proves that the platform’s public‑facing interfaces can be chained together into large‑scale surveillance systems, especially when combined with tools that continuously monitor online status and profile changes.
Zero‑click spyware shows how far attackers will go
While enumeration and metadata scraping exploit visible features, another front in the WhatsApp security battle involves invisible, zero‑click exploits that compromise devices without any user interaction. Earlier this year, WhatsApp rushed to patch a dangerous vulnerability tracked as CVE, which targeted Apple devices through a malicious image sent over the app. In a breakdown titled with phrases like Aug, What and Threat, analysts explained that on August 29 WhatsApp issued an urgent fix after discovering that attackers could use the bug to install spyware simply by sending a crafted message, with no taps or clicks required from the victim.
Separate coverage noted that CVE-2025-43300 had been disclosed by Apple as part of an “extremely sophisticated attack” against journalists and human rights defenders, underscoring that high‑risk users are often the first to be targeted when such flaws emerge. Another report highlighted how Meta moved quickly to fix the critical WhatsApp vulnerability on iPhones, with coverage referencing Aug, a PUBLISHED timestamp, and a Fri release to stress the urgency of the patch. For anyone watching the platform’s security posture, these zero‑click incidents show that attackers are willing to invest heavily in weaponizing obscure bugs, and that WhatsApp’s defenses must extend far beyond its encryption protocol.
Spyware firms and the global market for WhatsApp surveillance
The demand for tools that can pierce WhatsApp’s protections is not hypothetical, it is already fueling a global spyware industry that treats messaging apps as prime targets. Earlier this year, WhatsApp disclosed that a company called Paragon had targeted users in 24 countries, prompting the platform to send a cease‑and‑desist letter after investigating the hack. Officials described how the firm’s tools were used to compromise accounts and devices, and how WhatsApp had to notify affected users while also pursuing legal and technical countermeasures.
When I look at the new spying tool that can monitor “Three billion” users, I see it fitting neatly into this broader ecosystem. Commercial surveillance vendors already sell services that promise to track targets’ messaging habits, and a technique that leverages public metadata rather than intrusive malware could be especially attractive because it is harder to detect and regulate. The Paragon case shows that WhatsApp is willing to confront spyware firms directly, but it also highlights the asymmetry of the fight: a single company can quietly target people in 24 countries, while the platform must retrofit privacy protections for billions of users without breaking the app’s core experience.
Is WhatsApp “Really Safe” if metadata is exposed?
For most people, the obvious question is whether WhatsApp is still safe to use in light of these revelations. On the narrow question of message content, the answer is still yes: end‑to‑end encryption means that only you and your contacts can read what you send. A detailed privacy analysis framed the issue bluntly with the phrase “Is WhatsApp Really Safe in 2025?” and concluded that For the average user, the encryption works as advertised. The core problem, however, is that the app still collects and exposes metadata such as who you talk to, when you are online, and which phone number is tied to which account, and those signals can be incredibly revealing when aggregated.
That same analysis stressed that For the people most at risk, such as activists, journalists, or political dissidents, metadata can be as dangerous as message content. If a government or private actor can use enumeration flaws and status‑tracking tools to map out a network of contacts, they can infer relationships, identify sources, and build dossiers without ever decrypting a single message. This is why I see the new spying tool as more than a clever stunt: it exposes a structural weakness in how WhatsApp handles presence and discovery, and it challenges the idea that encryption alone is enough to guarantee meaningful privacy.
“Here’s Why It Matters”: from research demo to real‑world harm
Security researchers have gone out of their way to explain why these flaws matter beyond the lab. One investigation into the enumeration vulnerability was framed around the idea of “Here’s Why It Matters,” with author Alina BÎZGĂ walking through how a team could scrape data from 3.5 billion users without breaching any servers. The report emphasized that the attack took place entirely through legitimate interfaces, which means similar techniques could be replicated by criminals, stalkers, or authoritarian regimes without triggering traditional intrusion alarms. It also highlighted how tools that Protect all your devices are only part of the answer when the vulnerability lies in how a platform exposes user information by design.
Another key point from that research is that the enumeration and scraping did not require advanced nation‑state capabilities. When a team of cybersecurity experts, described simply as When a group of specialists, can pull off a global scrape using commodity infrastructure, it lowers the barrier for others to follow. The new spying tool that tracks “Three billion” users builds directly on this foundation: it automates the monitoring of online status and other metadata, turning what was once a time‑limited research project into a persistent surveillance capability. That is why I see the current moment as a tipping point, where the gap between academic proof‑of‑concept and real‑world abuse is closing fast.
What WhatsApp has fixed, and what remains exposed
To its credit, WhatsApp has moved to patch several of the most glaring weaknesses. The enumeration vulnerability that allowed scraping of 3.5 billion accounts has been closed, and the company has tightened some of the API behaviors that previously enabled high‑speed lookups. Technical write‑ups note that the exploit window lasted only a couple of days, and that the platform has since introduced additional checks to prevent similar high‑volume queries. Coverage by Connor Jones, logged on a Wed in Nov at a specific UTC time and tagged with Res, underscored that the company did not experience prohibitive rate limiting during the attack, a lesson that appears to have informed its subsequent defenses, as documented in a second analysis of the same flaw.
Yet the core ingredients that make the new spying tool possible remain largely intact. Users still broadcast their online status by default, profile photos and names are still visible in many contexts, and the app still relies on phone numbers as primary identifiers. Even with patches in place, an attacker can combine slower enumeration with long‑term monitoring to build rich profiles over time. From my perspective, the real challenge for WhatsApp is not just closing individual bugs but rethinking how much metadata it exposes by default, and how much control it gives users over signals that can be quietly harvested at scale.
How users can respond while Meta plays catch‑up
In the short term, the most practical defenses are the ones users can apply themselves, even if they are imperfect. Tightening privacy settings to hide “last seen” and online status from everyone, limiting profile photo visibility to contacts, and being cautious about which phone number you link to WhatsApp can all reduce the amount of metadata available to automated tools. For high‑risk users, pairing WhatsApp with additional safeguards such as device‑level security apps, hardware security keys for account recovery, and alternative messengers that do not rely on phone numbers can add important layers of protection while Meta works on deeper architectural changes.
Ultimately, however, the burden cannot rest solely on individuals. The emergence of a spying tool capable of tracking “Three billion” users, combined with enumeration flaws that exposed 3.5 billion accounts and zero‑click exploits like CVE-2025-43300, shows that WhatsApp’s design choices have systemic privacy implications. I believe Meta will need to treat metadata exposure with the same seriousness it applies to encryption, investing in features that obfuscate presence, randomize identifiers, and throttle large‑scale queries without degrading the user experience. Until that happens, the world’s most popular messaging app will remain a paradox: cryptographically strong at its core, yet vulnerable at the edges in ways that sophisticated attackers are already learning to exploit.
More from MorningOverview