In a major win for crypto security, ZKsync has successfully recovered nearly $5.7 million in stolen assets after a hacker agreed to return the funds in exchange for a 10% bounty.
The funds were originally stolen on April 15 during a security breach involving ZKsync’s airdrop distribution contract. The hacker exploited a vulnerability in the sweepUnclaimed() function, minting 111 million unclaimed ZK tokens, valued at around $5 million at the time.
In an unexpected turn, the hacker opted to take the ethical route—returning 90% of the stolen tokens and keeping 10% as a bounty. The recovery was completed in three swift transfers on April 23, all within ZKsync’s 72-hour “safe harbor” window.
> “We’re pleased to share that the hacker has cooperated and returned the funds within the safe harbor deadline,” the ZKsync Association posted on X.
Transfers included:
$2.47M in ZK tokens
$1.83M in ETH via the ZKsync Era blockchain
776 ETH (~$1.4M) sent to an Ethereum address on Etherscan
Thanks to a rise in market prices—ZK up 16.6% and ETH up 8.8%—the returned value actually exceeded the stolen amount.
Importantly, no user funds were compromised. The breach stemmed from ZKsync’s admin account, not individual wallets. A full report on the incident is expected soon.
Despite the good news, the ZK token didn’t surge—dipping 0.2% in the last 24 hours. Still, this recovery is seen as a strong move in building trust and setting new standards in decentralized security practices.
ZKsync Era, an Ethereum Layer 2 scaling solution using zero-knowledge rollups, continues to grow—with $59M total value locked and over $2B in real-world assets on-chain.