Zero-Click WhatsApp Account Takeover Hits iPhone Users Running iOS 16. No Linked Devices, No Warning

Pierluigi Paganini
May 25, 2026

A zero-click attack targeting iPhones on iOS 16 hijacked WhatsApp accounts without linked devices, warnings, or user interaction.

There is a particular kind of security incident that is harder to explain than most: your WhatsApp account is sending messages you did not write, asking your contacts for money transfers, and when you check the “Linked Devices” section in the app, it shows nothing. No unauthorized sessions, no suspicious logins, no QR codes scanned by mistake. Just your phone, your account, and someone else apparently using it at the same time.

That is exactly what happened to multiple iPhone users in Italy over the past few weeks, and the forensic investigation that followed has uncovered what appears to be an active zero-click exploitation campaign targeting a specific combination of iOS version and WhatsApp client.

The cases were brought to the attention of the Italian digital forensics firm Forenser by users who had all experienced the same bizarre pattern: messages sent from their WhatsApp number to recent contacts requesting wire transfers, with no memory of having sent them and no trace of any linked device in the app’s settings. The firm’s analysis, published this week, reveals a technically sophisticated attack that exploits known vulnerabilities in iOS 16 to gain unauthorized access to WhatsApp sessions without requiring any user interaction.

What the victims saw

The common thread across all reported cases was striking in its consistency. Every affected user was running an iPhone, models ranging from iPhone 8 through iPhone 14, including X, XR, XS, 11, SE, 12, and 13 variants, with some version of iOS 16 installed. The attackers gained access to recent chat conversations and sent messages requesting money transfers, but…

Source

Zero-Click WhatsApp Account Takeover Hits iPhone Users Running iOS 16. No Linked Devices, No Warning