Just two months after the exploit, Kinto’s K token dropped sharply on the news, wiping out the remaining value it had recovered.
Ethereum Layer 2 (L2) network Kinto, which focused on compliance, is shutting down two months after an exploit drained millions from the protocol, and wiped out 90% of its token’s value.
In an X thread on Sunday, Sept. 7, the Kinto co-founder Ramon Recuero said that the team “tried everything to come back,” but the damage from the hack and the loss of trust afterward proved too much to reverse.
In a separate X thread the same day, the official account for Kinto explained that the team raised over $1 million after the exploit via an effort called “Phoenix,” but the 577 ETH that was drained in the exploit — worth about $2.5 million at current prices — and new debt in addition to market conditions “killed further fundraising.”
“The team has been unpaid since July. It’s time to face reality and shut down responsibly,” Kinto wrote in the X post. Following the announcement, Kinto’s native token, K, lost over 97% in value, dropping sharply from $2.40 to $0.50, per data from CoinGecko. At press time, K has dropped even further, down about 70% over the last 24 hours to trade around $0.08.
‘Needed to Take Swift Action’
Phoenix lenders, who put up $1.05 million to help Kinto stay afloat, will get back about 76% of their money, the project said. Recuero also said he wiped out $75,000 in debt and added $55,000 of his own cash so that smaller lenders on Morpho protocol — users of which also fell victim in the exploit — each get at least $1,000. “That makes all the small lenders whole,” he wrote on X.
As Recuero explained in commentary for The Defiant, the team tried to stay afloat and even secured a $5 million equity commitment from Nimbus Capital to accelerate post-hack recovery, but that deal eventually “fell through.”
“We also explored OTCs but they were really difficult to justify given that the value of the collateral needed to stay up to justify repayment. As our fundraising options disappeared, every day we were going further and further in debt so we needed to take swift action to be able to repay as much as we could,” Recuero told The Defiant.
KYC Data Will Be Deleted
Users can withdraw whatever assets they still have on Kinto’s network until Sept. 30, the project said. After that, those balances will be moved into a perpetual on-chain claim so they can be recovered anytime. A separate claim portal for Morpho victims opens Oct. 1, tied to an instrument that gives them 100% of any future recoveries.
Because Kinto was compliance-focused and required know your customer (KYC) identification data to use its network, users had submitted documents through third-party providers like Plaid and Onfido. Recuero emphasized in comments to The Defiant that Kinto “does not store KYC data,” adding that all the KYC providers “will be instructed to delete all data as we cancel our contracts by the end of the month.”
Lazarus Behind the Attack
Kinto’s collapse traces back to a bug in the ERC1967Proxy standard, where hackers minted 110,000 tokens, drained liquidity, and sent Kinto’s native token K crashing from $7.69 to $0.50 in under an hour. Nearly $13 million in value evaporated.
Shortly after the attack, Recuero told The Defiant exclusively that “all signs point to Lazarus,” a North Korean state-sponsored hacking group that was also responsible for the $1.5 billion Bybit hack earlier this year.
K briefly regained all of the lost value in August, rising to $8 on Aug. 14, before beginning a steady decline and then dropping sharply this weekend on the news that the protocol would shut down entirely.
Critics said that the team should have caught the flaw, but Recuero pushed back, noting that the exploited contract wasn’t even written by the Kinto team, and adding that the vulnerable proxy contracts “were audited by 30 different auditors, part of the OpenZeppelin foundational contract library and had been used for 10 years until now.”
Founded in February 2023, Kinto secured $5 million in seed funding to launch “the first KYC’ed Layer 2.” Of that, $1.5 million came from a pre-seed round led by Kyber Capital Crypto, and $3.5 million from a follow-on led by Kyber, Spartan Group, and ParaFi, with participation from SkyBridge, Kraynos, Soft Holdings, Deep Ventures, Modular, Tane, and Robot Ventures.
In February of this year, Brevan Howard Digital’s Abu Dhabi arm deployed $20 million in assets onto Kinto’s network, adding institutional liquidity to the protocol.