Hackers took over the official X accounts of ZKsync and developer Matter Labs to spread fake SEC warnings and promote a phishing airdrop.
According to the latest update posted on May 13 from the main ZKsync account, the team said both accounts are “fully back in the control of the team.”
Notably, the breach likely occurred through compromised delegated accounts, which have since been disconnected. ZKsync noted that all malicious tweets have been deleted, and an internal investigation is underway.
However, a follow-up post from a ZKsync-affiliated developer account later warned that the accounts were still compromised, urging users not to interact. This has raised fresh concerns about whether full recovery was actually achieved at the time of the initial statement.
The attackers initially used the hacked accounts to stir panic. In one now-deleted post, they falsely claimed ZKsync was under investigation by the U.S. Securities and Exchange Commission and warned of possible sanctions from the Treasury Department.
Market commentators like g8keep co-founder Harrison Leggio suggested the move was a deliberate attempt to crash ZKsync’s token price.
“Instead of dropping a token and stealing a few bucks they decided to scare the living shit out of onchain degens,” he wrote in an X post following the attack.
Shortly after, the hackers published a second post promoting a fake ZK token airdrop, which included a phishing link designed to drain users’ wallets. The post was live for a few minutes before the team managed to take it down.
While it’s still unclear how many users may have clicked the link, ZKsync has yet to confirm whether any losses were reported.
At the time of writing, ZK token was down over 5%, trading around $0.07, according to CoinGecko. The drop followed a dip of roughly 2% right after the fake SEC warning went live.
For ZKsync, the attack comes less than a month after another major security lapse. On April 15, an attacker exploited admin access to the platform’s airdrop distribution contract and minted 111 million unclaimed ZK tokens, worth approximately $5 million at the time.
The attacker later returned 90% of the stolen tokens, keeping the remaining 10% as a self-declared bounty. That exploit occurred during the ongoing distribution of 17.5% of ZK’s total token supply to ecosystem participants.
Although most of the funds were returned, the back-to-back breaches have raised questions about the platform’s internal security processes.
