Hacker mints $5M in ZK tokens after compromising ZKsync admin account

A hacker compromised a ZKsync admin account on April 15, minting $5 million worth of unclaimed airdrop tokens, according to a statement from the official ZKsync X account. The attack was described as isolated, with no user funds affected.

Following an investigation, ZKsync detailed the incident on April 15, disclosing that the compromised account had administrative control over three airdrop distribution contracts. The attacker exploited a function called sweepUnclaimed() to mint 111 million unclaimed ZK tokens, increasing the total token supply by 0.45%. As of the latest update, the attacker still held control of most of the stolen funds.

Source: ZKsync

ZKsync is coordinating recovery efforts with the Security Alliance (SEAL). According to the protocol, its governance and token contracts are unaffected. The company stated that no further exploits are possible via the “sweepUnclaimed()” vector.

ZKsync is an Ethereum layer-2 protocol that processes main-layer transactions in batches using a technology called zero-knowledge rollups. The ZKsync Era platform has $57.3 million in total value locked as of April 15, according to DefiLlama. ZKsync had been in the process of airdropping 17.5% of its token supply to ecosystem participants.

Related: DeFi platform KiloEx offers $750K bounty to hacker

ZKsync’s token, ZK (ZK), saw volatile price action in the wake of the hack and the project’s public disclosure on X. Around 1:00 pm UTC, the token had dropped 16%, falling to $0.040 before rebounding to $0.047 at the time of writing. Despite the bounce, ZK remains down 7% over the past 24 hours.

Overall, $2 billion has been lost to crypto hacks in the first quarter of 2025 alone, just $300 million less than the total lost in 2024.

Magazine: Lazarus Group’s favorite exploit revealed — Crypto hacks analysis