ZKsync Recovers $5.7 Million in Stolen Crypto After Bounty Negotiation

TLDR

• ZKsync recovered $5.7 million in stolen ZK and ETH tokens after a security breach on April 15
• The hacker agreed to a 10% bounty and returned 90% of funds within the 72-hour deadline
• The exploit involved unauthorized minting of 111 million ZK tokens using a compromised admin key
• No user funds or core infrastructure were affected during the breach
• ZKsync plans to publish a detailed forensic report about the incident

An April 15 security breach of ZKsync’s airdrop distribution contract has been resolved with the return of stolen funds. The hacker, who exploited the system to mint 111 million ZK tokens worth approximately $5 million, has cooperated with the protocol’s Security Council by accepting a 10% bounty offer and returning the remaining 90% of assets.

The ZKsync Association confirmed the recovery on April 23 through their official social media channels. “We’re pleased to share that the hacker has cooperated and returned the funds within the safe harbor deadline,” the organization posted to X (formerly Twitter).

We’re pleased to share that the hacker has cooperated and returned the funds within the safe harbor deadline. As stated in the original Security Council message, the case is now considered resolved.

The assets are now in custody of the Security Council, and the decision on what… https://t.co/X0oejun9Tx

— ZK Nation (@TheZKNation) April 23, 2025

The returned funds totaled nearly $5.7 million, exceeding the initial theft amount due to price increases in both ZK and ETH tokens since the incident. The recovered assets included $2.47 million worth of ZK tokens and $1.83 million of Ether sent to the ZKsync Security Council’s Era address, plus an additional 776 ETH worth about $1.4 million transferred to their Ethereum address.

How the Hack Occurred

The security breach stemmed from a compromised admin account that gave the attacker access to the airdrop distribution contract’s sweepUnclaimed() function. This allowed the unauthorized minting of 111 million unclaimed ZK tokens at the time of the attack.

The exploit happened during ZKsync’s airdrop process, which was distributing 17.5% of ZK’s token supply to ecosystem participants. The vulnerability was limited to the airdrop distribution contracts and did not affect the broader protocol infrastructure or user funds.

On-chain data revealed that following the breach, the attacker swapped approximately $3.5 million of the stolen ZK tokens for Ethereum. The hack created a temporary inflation in the ZK token supply, but the market reaction was muted.

The Recovery Process

To avoid lengthy legal proceedings, ZKsync’s Security Council issued an on-chain message to the attacker with a straightforward offer: return 90% of the stolen funds and keep 10% as a bounty. The message included specific wallet addresses for transferring the tokens across both the ZKsync Era network and Ethereum’s mainnet.

The hacker complied with these terms, making three separate transfers on April 23. The first transfer occurred at 2:39:57 pm UTC, with the last one following approximately 13 minutes later—all within the 72-hour window established by ZKsync.

Following the successful recovery, ZKsync confirmed that it would not take further action against the attacker. The association also stated that a final report with additional details about the security incident would be published.

Next Steps for Recovered Assets

The recovered funds are now under the control of the Security Council, pending governance decisions about their future use. This incident has prompted renewed scrutiny over smart contract access controls, particularly regarding admin key security and airdrop mechanisms.

Despite the positive outcome of the fund recovery, the price of ZK token showed little movement on the news, with just a 0.5% increase after the announcement. The token was actually down 0.2% over the 24 hours following the recovery.

ZKsync Era, the protocol affected by the breach, is an Ethereum layer 2 solution that uses zero-knowledge rollups to batch and process transactions off-chain. According to DefiLlama and RWA.xyz, it has nearly $59 million in total value locked on its chain and hosts over $2 billion in real-world assets on-chain.

The swift resolution demonstrates an increasingly common approach to security incidents in the crypto space, where projects offer bounties to hackers as an incentive for returning stolen funds rather than pursuing legal remedies or more confrontational approaches.