A hacker manipulated an administrative account tied to ZKsync’s airdrop system
A security breach on ZKsync resulted in a hacker minting $5 million worth of ZK tokens without permission, according to a statement published by the project’s official X account on April 15. The hacker manipulated an administrative account tied to ZKsync’s airdrop system and used it to mint tokens not claimed, altering the overall supply.
ZKsync security team has identified a compromised admin account that took control of ~$5M worth of ZK tokens — the remaining unclaimed tokens from the ZKsync airdrop. Necessary security measures are being taken.
All user funds are safe and have never been at risk. The ZKsync…
— ZKsync (∎, ∆) (@zksync) April 15, 2025
The compromised account managed three contracts that were utilized in dispersing airdrops. Utilizing a sweepUnclaimed() function, the attacker minted 111 million unclaimed ZK tokens. The process increased the circulating supply of the token by nearly half a percent. ZKsync ensured that the attack was solo and that no user funds were touched during the exploit.
The team is already working in partnership with the Security Alliance (SEAL) to track the attacker and recover the hijacked funds. So far, the attacker still controls most of the tokens made through the exploit. According to ZKsync, there remains no chance of further abuse of the same exploit and the token contracts and governance of the platform are intact.
ZKsync is a layer-2 on Ethereum and is famous for leveraging zero-knowledge rollup technology to batch transactions efficiently. The platform hosts more than $57 million in total value locked, as seen from DeFiLlama data. The airdrop in question was part of ZKsync’s intention to airdrop 17.5% of its token supply to members of its ecosystem.
Following the news, the ZK token experienced high price swings. It dropped as low as 16% to $0.040 before surging to approximately $0.047. Despite the bounce, it continues to register a 7% decrease over the last 24 hours.
This incident is attributed to the growing number of exploits associated with cryptocurrency in 2025, already a year where over $2 billion has been lost due to hacks, almost matching last year’s figure.
