When hackers no longer simply 'vanish,' but instead start 'bargaining for returns' — is this a new paradigm of security in Web3, or a gray area of consent under regulatory absence?
Just as the crypto world frequently showcases the drama of hacker attacks and defenses, a recent security incident involving ZKsync ended in what seems to be a 'reconciliation' — the hacker returned over 5.7 million USD worth of stolen tokens within just a few days, keeping only 10% as a 'bounty' for leaving.
The ins and outs of this incident and its handling not only garnered widespread attention but also revealed a new shift in security governance in the Web3 era: the boundaries between hackers, protocols, and communities are no longer clear-cut, and interest coordination and consensus mechanisms are beginning to replace sheer crackdown and confrontation.
[Event Review] The vulnerability began with the airdrop and ended with 'negotiation.'
On April 15, ZKsync is executing its token airdrop plan, releasing 17.5% of the ZK token supply to ecosystem contributors. However, during this process, attackers exploited a vulnerability in the airdrop distribution contract's scanUnclaimed() function, successfully minting 111 million unclaimed ZK tokens, worth approximately 5 million USD at the time.
After gaining access to ZKsync's management account, the hacker quickly transferred tokens to their controlled wallet in three transactions, with the speed of the incident catching the entire community off guard.
However, the plot twist came just as rapidly — the ZKsync security committee reached an agreement with the attackers within a 72-hour 'safe harbor' time window, where the latter agreed to return 90% of the stolen assets in exchange for a 10% bounty.
On April 23, on-chain data shows:
The hacker returned approximately 2.47 million USD worth of ZK tokens;
Returned 1.83 million USD worth of ETH, along with 776 ETH (approximately 1.4 million USD);
All operations were completed within 15 minutes.
This means ZKsync successfully recovered assets far exceeding the initial losses — as both ZK and ETH prices surged after the incident (ZK increased by 16.6%, ETH increased by 8.8%).
[Data and Reflection] The 'reconciliation' of 5.7 million USD, is it success or compromise?
The ZKsync team issued a statement on the X platform confirming the resolution of the incident and emphasized that 'no user funds were affected,' which undoubtedly aimed to alleviate panic.
However, this event of 'bounty for stolen goods' fundamentally exposes several core issues:
Security vulnerabilities in Web3 systems still frequently exist, especially during airdrops and the rapid deployment of contracts.
Hackers are increasingly inclined towards 'negotiation for profit' rather than completely disappearing with stolen goods, which reflects the collision between bounty culture and decentralized governance.
The ability of protocols to respond to crises during attacks has become a matter of life and death for projects, and ZKsync's rapid response in this incident has received some affirmation.
This also prompts people to consider whether the security boundaries of Web3 are shifting from 'anti-hacking' to 'compliance games'?
[Background Expansion] Hacking intensifies, losing 1.6 billion USD in Q1, with North Korean groups becoming the 'behind-the-scenes big boss.'
The ZKsync incident is just the tip of the iceberg. According to a report released by blockchain security company Immunefi, in the first quarter of 2025, the crypto industry suffered losses of 1.636 billion USD due to hacker attacks, setting a historical quarterly record.
Among them:
Bybit lost 1.46 billion USD in a February attack;
Phemex lost 69.1 million USD in January;
The hacker group Lazarus Group is suspected to be the main culprit, accounting for 94% of all losses.
In other words, hackers are not just 'individual warriors,' but have formed a highly organized, globally collaborative network crime model.
Facing such complex threats, relying solely on traditional security mechanisms is no longer sufficient.
[MLion.ai Perspective] Intelligent defense to stop crises before they emerge.
Although this 'bounty for peace' drama has temporarily come to a close, the real question is: who will be the next ZKsync? How should we predict?
This highlights the importance of intelligent investment research and on-chain monitoring tools, which is one of the core capabilities of the Mlion.ai platform:
Quickly identify potential attack risks through real-time monitoring of on-chain smart contract updates and abnormal fund flows;
Provide security incident tracking reports to evaluate whether protocol governance and response mechanisms are sound;
Integrate sentiment analysis of attack events to help users assess the actual impact of events on the token market;
For airdrops and new project contracts, use AI modeling to identify potential 'vulnerability-induced arbitrage' behaviors to enhance investment security margins.
In a market where vulnerabilities can lead to losses of tens of millions at any time, intelligent defense and dynamic monitoring systems are the next essential options.
[Conclusion] Hackers no longer disappear but instead engage in 'bargaining'? Web3 security is reconstructing boundaries.
The handling model of the ZKsync incident — the bounty return mechanism — is not the first, nor will it be the last. It may be a form of compromise in security mechanisms and could become an inevitable part of future crypto protocol governance structures.
However, we cannot ignore that the issues exposed behind this are far beyond the contract vulnerabilities themselves, more importantly:
How should protocol governance in the Web3 era establish a dynamic emergency mechanism?
Is hacking a crime, or is it in the blurred area of 'white hat negotiation'?
How can investors identify the underlying logic of project security?
In the end, this is not only a battle of technology but also a battle of trust.
Disclaimer: The above content is for informational sharing only and does not constitute any investment advice. The market has risks, and investment should be cautious.
