The target will have to contact WhatsApp support to recover their account at this point. Once that’s done, both the attacker and the target will see the same “Try again after -1 seconds” message while attempting to login. The attacker then has to repeat the 12-hour cycle twice. You should be able to restore access to WhatsApp at this point. WhatsApp will then lock you out of the app. The attacker then has to set up an email address and send “a lost/stolen phone request” to WhatsApp to deactivate your account. The targets wouldn’t have any way to know that the hack is taking place, but they should be alarmed by a large number of verification codes coming their way.
WhatsApp will keep sending codes to the user, but it will block the verification process for 12 hours after a certain number of attempts.
