ZKsync Is Under Attack: Admin Key Compromised, $5 Million in ZK Tokens Stolen

This incident does not affect the ZKsync protocol, the ZK token contract, the three governance contracts, or the core user assets

ZKsync is under attack: admin key compromised, $5M in ZK tokens stolen

The ZKsync security team has identified a compromised admin account that took control of ≈$5M worth of ZK tokens - the remaining unclaimed tokens from the ZKsync airdrop. Necessary security measures are being implemented. All user funds are safe and have never been at risk. The ZKsync protocol, the ZK token contract, the three governance contracts, and core user assets are not affected.

The incident is limited solely to the account that was the admin of the three airdrop distribution contracts, which was compromised. The address in question is: 0x842822c797049264A3c29464221995C56da5587D.

Update: the investigation has revealed that the account that was the admin of the three airdrop distribution contracts had been compromised. The compromised account address is 0x842822c797049269A3c29464221995C56da5587D.

The attacker called the sweepUnclaimed() function that permits collecting the unclaimed airdrop tokens and transferring them to a chosen address.

The attacker then used the public function sweepUnclaimed() to initiate a transaction.

The majority of the tokens were then transferred to the address b1027ed67f89c9f588e097f70807163fec1005d3, which is presumably controlled by the attacker.

In total, 111 million ZKsync tokens were minted, estimated at a value of around $5 million.

The ZKsync team is working to clarify the full details of the incident in cooperation with Seal 911 and has also reached out to a number of crypto exchanges to ensure that any attempt to withdraw the stolen funds results in their freezing.

However, the attack had already impacted the ZKsync token’s price, with a sharp drop of ≈13% immediately following the incident - from $0.0477 to $0.0415.

It’s also worth noting that, just as the exploit was quickly contained, the token price also rebounded without major delay and is now trading at approximately $0.0464.

Just recently, we analyzed a rather sophisticated attack on Atomic and Exodus wallets. One of the key takeaways we highlighted was that attackers tend to target infrastructure surrounding blockchain solutions rather than the protocols themselves.

This incident serves—albeit less obviously—as another illustration of that pattern. It’s significantly easier for attackers to compromise an administrative account than to hack a core protocol that has undergone extensive audits and has been battle-tested in production (although such attacks are still possible).

The same principle applies to integration or partner breaches, such as the recent case with Bybit, which remains one of the most advanced and secure crypto exchanges in the market.