WhatsApp’s ‘End-to-End Encryption by Default’ Claim Called

Telegram founder Pavel Durov has accused WhatsApp of what he calls “the biggest consumer fraud in history,” alleging its widely marketed end-to-end encryption (E2EE) claims are fundamentally misleading, thereby leaving the private messages of billions of users exposed on unencrypted cloud servers.

In a post published on April 9, 2026, Durov asserted that approximately 95% of private messages sent on WhatsApp are ultimately stored as plain-text backups on Apple iCloud and Google Drive servers, completely outside the scope of WhatsApp’s E2EE infrastructure.

The claim centers on a structural loophole that security researchers and digital rights organizations have flagged for years: while messages in transit between users are encrypted end-to-end, cloud backups of those messages are not encrypted by default.

WhatsApp does offer an opt-in encrypted backup feature, but it requires users to manually enable it within app settings and set either a strong password or a 64-digit encryption key. According to Durov, the vast majority of users never activate this feature, and even fewer use sufficiently strong passwords to protect their backups.

Pavel Durov Calls WhatsApp Encryption Claim Fraud

From a technical standpoint, the problem lies in how WhatsApp’s E2EE architecture terminates at the device level. When a user enables cloud backup, which is turned on by default, the decrypted message history is exported to Google Drive or Apple iCloud, where it is stored without end-to-end encryption unless the user has explicitly configured the E2EE backup option.

As Wire’s security blog notes, “If you back up your WhatsApp messages to Google Drive or iCloud, those backups are not protected by WhatsApp’s end-to-end encryption unless you explicitly enable encrypted backups, which is off by default.”

This means Apple, Google, and by extension, law enforcement agencies or malicious actors with access to those platforms, can potentially read those backups.

Durov further highlighted a compounding privacy failure: even if a user personally enables encrypted backups, their conversation partners, who may not have done the same, create their own unencrypted cloud copies of the same conversation. This renders individual E2EE backup adoption largely ineffective at scale.

The allegations are not solely Durov’s. A U.S. class-action lawsuit has been filed against Meta, alleging that WhatsApp contains a backdoor that grants Meta employees and third-party entities access to users’ private messages, directly contradicting WhatsApp’s public privacy assurances.

Meta has dismissed these allegations as “false and absurd,” but has not provided a detailed technical rebuttal addressing the backup architecture vulnerability.

The Electronic Frontier Foundation (EFF) has long warned that “unencrypted backups are vulnerable to government requests, third-party hacking, and disclosure by Apple or Google employees,” and has consistently advised users against backing up secure messenger conversations to the cloud.

Security professionals recommend the following immediate steps for WhatsApp users concerned about their privacy:

• Enable E2EE backups in WhatsApp Settings → Chats → Chat Backup → End-to-end Encrypted Backup
• Use a strong, unique password — not a PIN or biometric shortcut
• Audit contact backup behavior, as conversations remain exposed if recipients have not enabled the same protection
• Consider Signal for high-sensitivity communications, as it does not support cloud backup of message history by design

Durov claims that Telegram “has never disclosed a single byte of users’ messages in its 12+ year history,” positioning it as the privacy-first alternative. However, security experts note that Telegram’s regular chats are not end-to-end encrypted by default, either; only its “Secret Chats” feature uses E2EE, making it an imperfect counterexample in its own right.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.