Federal agents arrested Shamim Mafi at LAX on Saturday night. The criminal complaint describes Mohajer-6 drones, bomb fuses, and millions of rounds of Iranian ammunition moving through an Oman-registered shell called Atlas International Business to the Sudanese Armed Forces.
This is a story about WhatsApp encryption.
The communication channel was WhatsApp.
Contract terms were on WhatsApp.
Cash logistics were on WhatsApp.
In turkey we can just accept in exchange. And it should be in cash.
The FBI put the private WhatsApp messages in a public filing. How? Why? Meta doesn’t just market WhatsApp as end-to-end encrypted, they send security talking-heads like Alex Stamos around to call WhatsApp privacy better than sliced bread.
That’s a lot of nonsense and it literally has gotten people killed for believing it.
Two architectural facts collapse the aggressive marketing. Cloud backups first disproved the claims. WhatsApp synced chats to iCloud and Google Drive in plaintext by default until late 2021. Meta added opt-in encrypted backups then and left the default unchanged. A subpoena to Apple or Google reaches message content through the backup layer. The encryption protected the wire, while a backup always held the plaintext copy out for inspection.
The report button came next, which I consider an intentional backdoor that Signal does not have (WhatsApp encryption is just Signal underneath, with the backdoor added). ProPublica documented it in September 2021. Roughly 1,000 Accenture contractors in Austin, Dublin, and Singapore review user reports. When either party taps report, the client forwards the last five messages plus media to Meta in plaintext. The counterparty whose chats land in the review queue never consents. Meta writes the trigger conditions. Meta can expand the window by software update.
The arrests keep coming. The encryption claim keeps recruiting users who route sensitive communications through Meta. The FBI reads them. Every conviction built on WhatsApp evidence is proof the product worked how Facebook intended, just not as advertised.
Client-side exfiltration with end-to-end marketing on the label is not privacy. Cryptography was sprinkled on the wire while the architecture kept the content readable by third parties … by design
Seems wild how encryption is supposed to keep things private, yet this kind of stuff still happens. What kind of evidence did they find?