ZKsync X accounts hacked to promote fake SEC warnings and malicious airdrop

By Rony Roy

May 13, 2025 at 8:06 AM UTC

Edited by Dorian Batycka

News

ZKsync X accounts hacked to promote fake SEC warnings and malicious airdrop

Hackers took over the official X accounts of ZKsync and developer Matter Labs to spread fake SEC warnings and promote a phishing airdrop.

According to the latest update posted on May 13 from the main ZKsync account, the team said both accounts are “fully back in the control of the team.”

ZKsync X accounts hacked to promote fake SEC warnings and malicious airdrop - 1 — Update from the official ZKsync account at press time | Source: ZKsync on X

Notably, the breach likely occurred through compromised delegated accounts, which have since been disconnected. ZKsync noted that all malicious tweets have been deleted, and an internal investigation is underway.

The ZKsync and Matter Labs X accounts are fully back in the control of the team. We’re looking into how the accounts were hacked, and believe it was through compromised delegated accounts.

All delegated accounts and connected apps have been disconnected, and we’ve deleted any…
— Matter Labs (∎, ∆) (@the_matter_labs) May 13, 2025

However, a follow-up post from a ZKsync-affiliated developer account later warned that the accounts were still compromised, urging users not to interact. This has raised fresh concerns about whether full recovery was actually achieved at the time of the initial statement.

ZKsync X accounts hacked to promote fake SEC warnings and malicious airdrop - 2 — The latest update from a Zksync-affiliated account | Source: ZKsync Developers

The attackers initially used the hacked accounts to stir panic. In one now-deleted post, they falsely claimed ZKsync was under investigation by the U.S. Securities and Exchange Commission and warned of possible sanctions from the Treasury Department.

Market commentators like g8keep co-founder Harrison Leggio suggested the move was a deliberate attempt to crash ZKsync’s token price.

“Instead of dropping a token and stealing a few bucks they decided to scare the living shit out of onchain degens,” he wrote in an X post following the attack.

Shortly after, the hackers published a second post promoting a fake ZK token airdrop, which included a phishing link designed to drain users’ wallets. The post was live for a few minutes before the team managed to take it down.

🚨 @zksync was compromised and posted phishing tweets. Stay alert! ⚠️ pic.twitter.com/TikMR78Py2
— Scam Sniffer | Web3 Anti-Scam (@realScamSniffer) May 13, 2025

While it’s still unclear how many users may have clicked the link, ZKsync has yet to confirm whether any losses were reported.

At the time of writing, ZK token was down over 5%, trading around $0.07, according to CoinGecko. The drop followed a dip of roughly 2% right after the fake SEC warning went live.

For ZKsync, the attack comes less than a month after another major security lapse. On April 15, an attacker exploited admin access to the platform’s airdrop distribution contract and minted 111 million unclaimed ZK tokens, worth approximately $5 million at the time.

The attacker later returned 90% of the stolen tokens, keeping the remaining 10% as a self-declared bounty. That exploit occurred during the ongoing distribution of 17.5% of ZK’s total token supply to ecosystem participants.

Although most of the funds were returned, the back-to-back breaches have raised questions about the platform’s internal security processes.