A recent incident involving a hacker exploiting ZKsync’s airdrop contract vulnerability on April 15 has taken an unexpected turn as the perpetrator has voluntarily returned nearly $5.7 million in stolen tokens. This decision came after the hacker accepted a 10% bounty offered by ZKsync as part of a deal to incentivize the safe return of the ill-gotten funds. The vulnerability that was exploited stemmed from a compromised administrative address within the contract, allowing the hacker to execute the sweepUnclaimed() function and mint roughly 111 million unclaimed ZK tokens.
The return of the stolen funds took place on April 23 through three separate transactions, consisting of approximately $2.47 million in ZK tokens and $1.83 million in ETH transferred to the ZKsync Security Council’s address on the ZKsync Era blockchain. Additionally, the hacker sent an extra 776 ETH, equivalent to around $1.4 million, to their Ethereum address. This restitution occurred within a 72-hour timeframe provided by ZKsync, which guaranteed no legal repercussions and a 10% bounty for complying with the terms of returning the stolen assets.
Despite the breach, ZKsync reassured users that their funds remained secure, emphasizing that both the ZKsync protocol and token contract had not been compromised. The company behind ZKsync, Matter Labs, acknowledged the incident and confirmed the successful recovery of the tokens. A comprehensive investigation report detailing the events leading up to the exploit and subsequent return is anticipated to be released soon.
Interestingly, the value of the tokens returned had actually appreciated between the time of the theft and their restitution due to market fluctuations. Following the breach on April 15, the ZK token saw a 16.6% increase, while ETH rose by 8.8%, based on data from CoinMarketCap. Ultimately, the hacker ended up returning more value than the amount originally stolen. Nevertheless, the market response to this incident was subdued, with the token experiencing only a marginal 0.2% drop in the past 24 hours.
This breach adds to the growing trend of cyberattacks within the cryptocurrency space in early 2025. According to CertiK, a total of $1.67 billion was lost in the first quarter alone due to hacks, scams, and exploits, with Ethereum-based projects accounting for the majority of losses, amounting to nearly $1.54 billion across 98 incidents. Immunefi also reported staggering figures, with $1.6 billion in stolen funds during January and February. Notably, private key compromises led to $142.3 million in losses across 15 incidents in the first quarter. Recovery rates have drastically plummeted, with just 0.38% of stolen crypto being successfully recovered this quarter, significantly down from the 42% recovery rate observed in the previous quarter.
The hacker’s decision to return the funds was compelled by an on-chain message from ZKsync that offered the bounty while cautioning of potential legal repercussions if the remaining assets were not relinquished. With the ZKsync Security Council now in possession of over 44.6 million ZK tokens and nearly 1,800 ETH, the community governance will dictate the next steps regarding the recovered funds.
Although the stolen assets have been returned, this incident serves as a stark reminder of the persistent risks present in decentralized finance (DeFi) platforms. It underscores the critical importance of robust contract security measures and prompt response protocols in mitigating potential threats and safeguarding user funds.
In conclusion, while the hacker’s change of heart may have salvaged a precarious situation, the overarching message remains clear – vigilance and diligence are paramount in navigating the ever-evolving landscape of cryptocurrency security.