Hacker Mint $5 million in ZK token after damaging zksync administrator account

A hacker damaged a ZKSYNC administrator account on April 15, resulting in $5 million in unclaimed Airdrop tokens, according to a statement from the official ZKSYNC X account. The attack was described as siloed without any user funding impact.

After investigation, ZKSYNC detailed the incident on April 15 and revealed that the compromised account had administrative control over three Airdrop distribution contracts. The attacker exploited a feature called Sweepunclaimed() to 111 million unclaimed ZK tokens, increasing the total token supply by 0.45%. At the time of the latest update, the attackers still control most of the stolen funds.

ZKSYNC is coordinating recovery efforts with the Security Alliance (SEAL). Under the agreement, its governance and token contracts are not affected. The company said that further utilization of the vector via the “SweepunClaimed()” is not possible.

ZKSYNC is an Ethereum layer 2 protocol that processes main layer transactions in batches using a technology called zero-knowledge summary. According to DeFillama, the total value of the ZKSYNC era platform is $57.3 million, as of April 15. Zksync has been at 17.5% of its token supply to ecosystem participants.

Related: Defi Platform Kiloex offers hackers $750,000 in bounty

ZK tokens drop 7% in 24-hour trading

Zksync’s token ZK (ZK) saw volatile price action after hacking, and the project’s public disclosure on X. Around UTC, Token fell to 16% when writing, down to $0.040 and down to $0.047. Despite the rebound, ZK has dropped by 7% over the past 24 hours.

Overall, Crypto Hacks lost $2 billion in the first quarter of 2025 alone, just $300 million less than the loss in 2024.

Magazine: Lazarus Group’s favorite exploits – Crypto Hacker Analysis