A recent exploit targeting ZKsync’s airdrop contract has reached a swift resolution, as the hacker responsible for draining nearly $5 million in digital assets returned the funds within the project’s 72-hour safe harbor window. The Ethereum Layer-2 network confirmed the recovery on social media, stating that the matter is now “considered resolved.”
The attacker handed back over 44.6 million ZK tokens and nearly 1,800 ETH, meeting the conditions set by ZKsync’s team, which had offered a 10% bounty in exchange for the safe return of 90% of the stolen funds. This strategic approach allowed ZKsync to avoid legal escalation while securing the bulk of the assets.
The recovered funds are now under the control of the ZKsync Security Council. A final decision on redistribution will be made through community governance, with a formal incident report expected in the coming days.
ZKsync Contained Exploit After Hacker Abused Compromised Key
The resolution of the exploit stemmed from a breach earlier this week, where a compromised private key linked to the ZK token airdrop contract enabled an attacker to mint tokens and reroute millions in unclaimed rewards. The attacker moved the stolen funds across Ethereum and ZKsync’s Layer 2 network before pausing to weigh the protocol’s response.
In a swift countermeasure, ZKsync issued an on-chain ultimatum offering a 10% bounty if 90% of the stolen crypto was returned within 72 hours. The protocol made clear that ignoring the offer would lead to law enforcement involvement and the initiation of a full-scale criminal investigation.
While the exploit was significant in scope, ZKsync reassured users that the core protocol and token contract remained uncompromised. “All user funds are safe and have never been at risk,” the team posted on Tuesday, emphasizing that the vulnerability was limited to the airdrop mechanism and not the underlying blockchain infrastructure.
Hack Losses Top $1.6B in Just Two Months
The ZKsync airdrop exploit may have been swiftly resolved, but it underscores a much larger crisis engulfing the digital asset sector in 2024. According to multiple blockchain security firms, the first quarter of the year has been historically brutal for crypto platforms—with over $1.6 billion in assets stolen in just the first two months, and $1.67 billion lost overall by the end of Q1.
Immunefi and CertiK, two leading security intelligence providers, reported that the vast majority of these losses stem from sophisticated hacks, scams, and smart contract exploits. The staggering figure represents more than two-thirds of all stolen crypto from 2023—compressed into just one quarter.
The most devastating blow came from the Bybit incident, which alone accounted for $1.45 billion in losses and has since ignited fresh debate around centralized exchange security protocols. Across the board, private key compromises have emerged as a leading vulnerability, contributing to $142.3 million in damages over only 15 known cases.
Quick Facts:
- A hacker exploited ZKsync’s airdrop contract, stealing nearly $5 million in crypto assets.
- The attacker returned the funds after accepting a 10% bounty under a safe harbor agreement.
- Only 0.38% of stolen crypto funds were recovered in Q1 2025, according to CertiK.
