ZKsync got slammed with a $5 million heist on April 15, 2025, as some crafty attacker snatched 111 million unclaimed ZK tokens. Prices? Yeah, they tanked over 8%. Investor trust? Absolutely gutted. A compromised admin account let this creep trigger the `sweepUnclaimed()` function, funneling tokens straight to their wallet. What a mess. ZKsync claims the protocol’s safe now, but the damage is done. Stick around—there’s more to unpack on this disaster.
Brace yourselves—ZKsync, the Ethereum Layer-2 darling, just got hit hard. Around April 15, 2025, a sneaky attacker pulled off a $5 million heist, snagging 111 million ZK tokens. That’s right, folks, they didn’t just steal—they minted their own jackpot, exploiting unclaimed tokens from a June 2024 airdrop.
And how? By cracking into an admin account with control over three distribution contracts. Ouch. That’s a gut punch to a platform supposed to be scaling Ethereum, not scaling disaster.
Here’s the dirty play: the attacker got hold of a compromised key, waltzed into the system, and triggered a function called `sweepUnclaimed()`. Boom. Unclaimed tokens straight to their wallet, no questions asked. The address? Some cryptic string—0x842822c797049269A3c29464221995C56da5587D—if you’re into playing crypto detective.
This wasn’t just a slip-up; it bloated the ZK token supply by 0.45%. Not huge, but enough to make investors sweat. ZKsync’s team caught wind of it fast, though, and spilled the beans on their X account by April 16. Good on them for not hiding, but still—too late for that $5 mil. Moreover, this incident has raised serious questions about whether ZKsync can maintain its reputation as the most funded layer-2.
The market? Oh, it felt the sting. ZK token prices tanked, dropping between 7% and 20% depending on who’s reporting. Investors are fuming, and the community’s buzzing with criticism. Rightfully so. Airdrop contracts and admin keys looking fragile as glass—great look for a “secure” platform, right?
Meanwhile, ZKsync swears the protocol, token contract, and user funds are safe. They’ve locked down the `sweepUnclaimed()` exploit, partnered with Security Alliance and exchanges for recovery, and promised a full report. But let’s be real, trust took a hit harder than the token price. Security analysts have since confirmed that the breach stemmed from a compromised admin key, highlighting a critical vulnerability in key management.
And get this—rumors swirl about the ZKsync team dumping tokens post-breach. True or not, it’s fueling distrust faster than a meme coin scam. With $57.3 million in TVL on the line and crypto hacks trending in 2025, this ain’t just a blip.
It’s a glaring neon sign: decentralized doesn’t mean invincible. ZKsync’s got some explaining—and fixing—to do. Period.
