A hacker exploited a vulnerability in the ZKsync network on April 15, minting $5 million worth of unclaimed ZK tokens by breaching an administrative account. The incident was confirmed by ZKsync’s official X account and involved unauthorized access to three airdrop distribution contracts.

Using a function called sweepUnclaimed(), the attacker generated 111 million ZK tokens, increasing the total supply by 0.45%. ZKsync emphasized that the breach was isolated and did not affect any user funds. However, the attacker still holds the majority of the stolen tokens.

In response, ZKsync has partnered with the Security Alliance (SEAL) to recover the stolen assets and prevent future attacks. The platform reassured the public that its core governance and token contracts remain intact and that no additional vulnerabilities exist within the exploited function.

ZKsync operates as a layer-2 Ethereum scaling solution using zero-knowledge rollups to batch transactions. The platform currently holds $57.3 million in total value locked, according to DeFiLlama, and had been in the process of airdropping 17.5% of its token supply to users.

The ZK token dropped 16% following the announcement but recovered slightly to $0.047. Still, it remained down 7% over the past 24 hours. The event adds to the growing list of crypto security breaches, with over $2 billion lost in hacks during Q1 2025 alone.

As the crypto industry faces mounting threats, the ZKsync incident highlights the urgent need for tighter security protocols—especially during high-stakes token distributions.