The team behind the layer 2 blockchain platform ZKsync has issued a stark 72-hour deadline to the perpetrators of a recent exploit, demanding the return of 90% of misappropriated digital assets to potentially avoid legal consequences.
In messages posted both on-chain and via official channels, the ZKsync Security Council extended an offer presented as a path to an amicable resolution. “To resolve this matter amicably in the spirit of safe harbor, we are offering a 10% bounty for your cooperation if you return 90% of the funds involved in the exploit,” the ZKsync team stated. This approach mirrors tactics sometimes seen in the DeFi space where projects offer a ‘white hat’ bounty to reclaim stolen assets.
The ultimatum follows confirmation on April 15th that an administrative wallet associated with ZKsync was compromised. The security breach resulted in the theft of ZK tokens valued at approximately $5 million. Project representatives clarified that these tokens were part of a reserve from the recent ZKsync airdrop that had not yet been claimed.
Despite the significant crypto exploit, ZKsync assured its community that user funds remained secure throughout the incident. They emphasized that the core ZKsync protocol and the ZK token contracts themselves were unaffected and remained robust.
An investigation into the breach was immediately launched and remains active. The public ultimatum comes as the ZK token experiences some price recovery.
The demand specifies the return of precisely 44,687,278.5988 ZK tokens to a designated ZKsync Era address. Additionally, the hacker must send 1,021.3 Ethereum (ETH) and another 766 ETH to specified addresses, including one on the main Ethereum layer 1 network controlled by the ZKsync Security Council.
ZKsync highlighted that funds sent to these specific council-controlled addresses would bypass transaction filters currently blocking movements from the wallets holding the exploited assets. The deadline for receiving the funds is firm.
Should the exploiter comply fully within the 72-hour window, ZKsync has pledged to publicly confirm the resolution and consider the matter closed without pursuing further action. However, failure to meet the deadline will prompt ZKsync to escalate the situation and involve law enforcement agencies.