Hackers Spread Fake SEC Probe Claims Through ZKsync X Account

Hackers used the breach to spread false claims of a US regulatory investigation and a fake airdrop link. This triggered an 8% drop in ZK’s price. Matter Labs confirmed the breach stemmed from “compromised delegated accounts” and quickly regained control. Meanwhile, Curve Finance was also hit with another DNS hijack that rerouted its official domain to a malicious site capable of draining user funds, prompting warnings from security firm Blockaid. This followed a similar DNS attack in 2022 and a recent hijacking of Curve’s X account just last week. Separately, the US government is pushing for a two-year prison sentence for Eric Council Jr., who helped hack the SEC’s X account in January of 2024 to post false Bitcoin ETF approval news. ZKsync Faces Second Major Security Breach The official X accounts of Ethereum Layer 2 network ZKsync and its developer Matter Labs were compromised in the early hours of May 13, and the hackers were spreading false claims that the platform was under investigation by US regulators. The compromised accounts shared links to a fake airdrop in an apparent phishing attempt and posted a fabricated statement suggesting the US Securities and Exchange Commission (SEC) was investigating ZKsync and that the Treasury Department might impose sanctions on the platform. ZKsync confirmed the breach through a related X account and warned users not to engage with any posts or links. Matter Labs’ head of communications, Lynnette Nolan, clarified that the posts were not legitimate and assured the public that both accounts were now securely back under team control. She added that the breach may have been executed through “compromised delegated accounts,” which have limited posting privileges on behalf of the main accounts. After the incident, the price of ZKsync’s native token, ZK , dipped by approximately 2% in an hour and was down 8% on the day, trading around $0.07. This drop happened despite the token enjoying a strong rally of nearly 35% over the past week. ZK’s price action over the past 24 hours (Source: CoinMarketCap ) Crypto community members, including g8keep co-founder Harrison Leggio , took to X to comment on the unusual nature of the hack, and pointed out that the attackers opted to spread fear instead of directly stealing funds. This is the second major breach tied to ZKsync over the past few months. On April 15, a hacker gained access to the platform’s airdrop distribution contract and used an admin function to mint 111 million unclaimed ZK tokens, which were worth around $5 million at the time. That attacker later returned 90% of the tokens, but held on to 10% as a bug bounty. Curve Finance Hit by DNS Attack Again Curve Finance, a well known decentralized finance (DeFi) protocol, also recently issued an urgent warning after its domain name system (DNS) was reportedly hijacked for the second time in a week. In a post that was shared on X on May 12, the Curve team warned users not to interact with the site, as the DNS was rerouting visitors to a malicious page designed to steal funds. This DNS manipulation means that while the official domain name is being used, it is actually pointing to a different IP address under the control of the attackers. The Curve team confirmed that the website was not technically hacked but was instead pointing to an incorrect IP address due to DNS tampering. They reassured the community that internal security measures like passwords and two-factor authentication were still intact and that the issue appeared to stem from the domain registrar. The team contacted the registrar to address the breach and regain full control. Importantly, Curve also clarified that while the DNS is compromised, its underlying smart contracts are safe and have not been affected. This latest incident is very similar to a previous attack Curve suffered in August of 2022, where attackers cloned the website and redirected the DNS to a lookalike page that drained users’ wallets. The DeFi protocol warned that the current malicious domain is capable of similarly draining funds from users who unknowingly interact with it. On-chain security firm Blockaid corroborated the warning, and labelled the situation as a potential front-end attack. Blockaid advised users to avoid signing any transactions or engaging with the DApp until the matter is resolved. They also confirmed that there is ongoing collaboration with Curve and affected partners to mitigate the threat. This is the second time in just one week that Curve faced a major security issue. On May 5, the protocol’s official X account was hijacked . However, Curve later clarified that the social media breach was isolated and did not affect other accounts or lead to any confirmed financial losses. That incident followed a broader trend of high-profile X account takeovers, including Tron DAO and even UK Member of Parliament Lucy Powell , whose accounts were compromised to promote scam crypto tokens. The Curve Finance team continues to investigate the DNS breach. Feds Seek Prison Time for SEC X Account Hacker Meanwhile, the US government recommended a two-year prison sentence for Eric Council Jr., the person who helped hijack the SEC’s X account to post a false announcement about the approval of spot Bitcoin exchange-traded funds (ETFs). In a filing that was submitted on May 12 in the US District Court for the District of Columbia, prosecutors urged Judge Amy Berman Jackson to impose a sentence that reflects the seriousness of Council’s actions, which briefly disrupted financial markets in January of 2024. Council pleaded guilty to being part of a coordinated scheme that used a SIM swap attack to gain unauthorized access to the SEC’s official social media account. The fake message posted through the account falsely claimed that spot Bitcoin ETFs were approved, which caused the price of Bitcoin to jump by more than $1,000 before SEC Chair Gary Gensler issued a correction . The official approval came a day later, but the fake announcement already rattled markets and drew widespread attention. Prosecutors described the attack as a “sophisticated fraud scheme” involving forged identification documents, fraudulent behavior at telecommunications stores, and coordination with co-conspirators in the US and overseas. They believe that Council’s actions merit a serious sentence due to the deliberate and far-reaching nature of the fraud. Council’s court appearance is scheduled for May 16. The case unfolds against the backdrop of leadership changes in the Department of Justice, where President Donald Trump appointed interim US Attorneys in several key jurisdictions, including the District of Columbia. While the impact of these appointments on crypto-related prosecutions are still uncertain, it has raised many questions about the future direction of digital asset enforcement.

Source: Coinpaper