ZKsync, an Ethereum Layer-2 scaling solution, confirmed a security breach where a compromised admin account led to the theft of approximately $5 million in unclaimed ZK tokens from its June 2024 airdrop. The attacker exploited the sweepUnclaimed() function in three airdrop distribution contracts, minting 111 million ZK tokens, which increased the circulating supply by 0.45%. The compromised account was identified as wallet 0x842822c797049269A3c29464221995C56da5587D.
ZKsync emphasized that the breach was isolated to the airdrop contracts, with no impact on user funds, the core protocol, ZK token contract, or governance systems. The team is conducting a full investigation, collaborating with cybersecurity experts and exchanges for recovery efforts, and has urged the attacker to negotiate to avoid legal consequences. The incident caused a sharp 20% drop in ZK token price, later recovering slightly to around $0.046.
ZKsync quickly revoked the compromised admin key to prevent further unauthorized access to the airdrop distribution contracts. This ensured no additional tokens could be minted via the exploited sweepUnclaimed() function, as confirmed by the team on April 16, 2025. The team verified that the breach was isolated to three airdrop contracts, with no impact on the core ZKsync protocol, ZK token contract, governance systems, or user funds. All vulnerable tokens were minted, closing the exploit vector.
Register for Tekedia Mini-MBA edition 17 (June 9 – Sept 6, 2025) today for early bird discounts. Do annual for access to Blucera.com.
Tekedia AI in Business Masterclass opens registrations.
Join Tekedia Capital Syndicate and co-invest in great global startups.
Register to become a better CEO or Director with Tekedia CEO & Director Program.
An internal investigation was launched to determine how the admin account wallet address was compromised. ZKsync’s co-founder, Alex Gluchowski, noted that the unclaimed tokens were meant to return to the Token Assembly, and the team is probing why this didn’t occur. A full incident report was promised, with Gluchowski stating it would be published once the investigation and recovery efforts are complete. ZKsync is collaborating with the Security Alliance (SEAL), a blockchain cybersecurity group, to track the attacker’s movements and recover the stolen funds. SEAL is assisting in tracing the 111 million ZK tokens, most of which remain in the attacker’s wallet (0xb102…d6a8).
The team is working with cryptocurrency exchanges to freeze the stolen assets. Approximately 44 million tokens ($2.1 million) are unaccounted for, while 2,200 ETH ($3.4 million) from swapped tokens are traceable, indicating active efforts to monitor and potentially recover these funds. Security teams froze suspicious transactions within hours of the breach, limiting further damage.
ZKsync publicly urged the attacker to contact their security team at security@zksync.io to negotiate the return of the stolen funds, warning of legal consequences if they fail to comply. This approach aims to recover assets without escalating to law enforcement, though no updates on negotiations have been reported. ZKsync has used X to provide updates, reassuring users that their funds are safe and the protocol remains secure. Posts on April 15 and 16, 2025, detailed the breach, the compromised wallet, and containment measures.
Despite these efforts, community backlash has been significant, with accusations of mismanagement and skepticism about the breach’s legitimacy. Some users suggested it might be an “inside job” or a cover for other issues, though no evidence supports these claims. ZKsync has acknowledged the criticism and pledged enhanced security protocols.
ZKsync developers have committed to implementing stronger security measures, including transitioning to multi-party computation (MPC) wallets, real-time transaction monitoring, and decentralized governance controls for treasury management. These aim to address vulnerabilities in admin key management and restore investor confidence. The breach highlighted centralization risks in airdrop contract management, prompting calls for more robust multi-signature wallet protections and regular security audits.
The ZK token price dropped 15-20% following the breach, from $0.047 to as low as $0.039, but later recovered slightly to around $0.046-$0.0475. ZKsync’s assurances about protocol security helped mitigate panic selling, though trading volume surged 96% to $71 million, reflecting market volatility. The team is addressing community frustration over the loss of airdrop tokens, which were meant to incentivize ecosystem participation. While no specific compensation plans have been announced, users anticipate governance reforms or potential reimbursement strategies.
The recovery of the stolen $5 million remains uncertain, as the attacker still holds most of the tokens. Tracing and freezing assets across decentralized exchanges is complex, and negotiations may not yield results. Community trust has been strained due to prior criticism of ZKsync’s airdrop distribution (e.g., weak Sybil protection) and the current breach. Restoring confidence will require transparent reporting and tangible security improvements.
ZKsync’s total value locked (TVL) was reported at $57.3-$60 million, down significantly since February 2025, adding pressure to demonstrate resilience. ZKsync’s recovery efforts involve immediate containment, collaboration with security experts and exchanges, an ongoing investigation, and plans for enhanced security protocols. While the team has taken steps to limit damage and pursue the stolen funds, rebuilding community trust and fully recovering the assets remain significant challenges.