ZKsync offers hacker 10% bounty to return stolen crypto. In a bold and unconventional move, ZKsync has issued a public message to the hacker responsible for the recent $5 million exploit, offering a 10% bounty in exchange for returning 90% of the stolen funds. The Layer 2 Ethereum scaling solution has set a strict 72-hour deadline, after which it will escalate the matter to law enforcement if no action is taken.
Details of the Exploit
The incident occurred on April 15, when ZKsync’s team confirmed that an administrator’s private key had been compromised. This allowed the attacker to drain approximately:
- 44,687,278.5988 ZK tokens,
- 1,021.3 ETH on ZKsync Era,
- 766 ETH on Ethereum Layer 1.
According to the platform, these funds were part of unclaimed tokens from a previous airdrop allocation and did not affect any user assets. The ZKsync protocol and smart contracts remain secure.
The Ultimatum: 72 Hours to Return Funds
To resolve the matter amicably, ZKsync offers hacker 10% bounty and the attacker a chance to return the majority of the stolen funds in exchange for a 10% cut as a “white hat” bounty. The statement, published both on Ethereum and the project’s official social channels, details the terms:
- Return 44.6 million ZK tokens to ZKsync Era address
0xfFB6126FF8401665081b771bB11cCD0e09f95D5A - Transfer 1,021.3 ETH to the same ZKsync address
- Send 766 ETH to the Ethereum Layer 1 address
0xb13dF19C56a75f9087CC03b10D482B4a775daB47
The deadline is 72 hours from the time of the onchain message’s publication. If all funds are received by the deadline, ZKsync will publicly confirm resolution and close the case with no criminal charges.
Why ZKsync Is Taking This Approach
ZKsync’s decision reflects a growing trend in the Web3 space, where some projects choose diplomacy over litigation to maximize fund recovery and minimize long-term disruption. Offering a bounty is seen by some as a pragmatic strategy, especially when attackers remain anonymous and traditional enforcement is slow or ineffective.
This method aims to:
- Recover funds quickly before laundering occurs
- Avoid lengthy investigations that may not guarantee success
- Encourage ethical behavior by transforming the attacker into a white-hat participant
However, critics argue that this approach may encourage similar behavior by rewarding malicious actors with a share of the spoils.
What Happens If the Hacker Refuses?
If the attacker fails to respond or refuses to comply before the 72-hour window closes, ZKsync has confirmed it will report the case to law enforcement authorities and begin a full-scale criminal investigation. At that point, the matter will transition from onchain diplomacy to international cybercrime enforcement.
A Precedent in the Making?
This isn’t the first time a Web3 project has tried to resolve an exploit through negotiation. KiloEx recently issued a similar 10% bounty offer to its attacker. However, the effectiveness of these methods remains under scrutiny.
ZKsync’s bold move may serve as a case study in how blockchain platforms can handle crises involving admin breaches, lost keys, and multi-chain asset thefts—all while balancing community trust, legal options, and network stability.
