Echo Protocol suffered a security breach Wednesday that led to the unauthorized minting of about $76.7 million worth of eBTC. An attacker compromised an admin-level private key, gaining control over minting permissions, and created roughly 1,000 eBTC without depositing any collateral. The ECHO token dropped more than 11% as panic selling hit the market.
How the exploit worked
The attacker didn't break into any smart contract logic or mess with token math — they simply took over an admin key that had minting privileges. Once they had that control, they minted 1,000 eBTC out of thin air. From there, the stolen tokens were deposited into the Curvance lending market as fake collateral, letting the attacker borrow wrapped Bitcoin (WBTC). The funds were then bridged across networks, converted to ETH, and finally moved through Tornado Cash to obscure the trail. At the time of reporting, about 955 eBTC — the vast majority of the illicit supply — remained under the attacker's control.
Why the admin key mattered
This wasn't a flaw in Echo's smart contracts. Security researchers pointed squarely at centralized control privileges. A single admin key, if compromised, gave the attacker the power to mint unlimited tokens. The underlying Monad blockchain itself wasn't affected; the issue was isolated to Echo Protocol's access control layer. It's a reminder that even when the code is clean, key management can break everything.
The fallout
Echo Protocol paused cross-chain operations almost immediately to limit further movement of stolen funds and prevent additional exploitation. The market reacted fast: the ECHO token price slid over 11% on the news. For users sitting on eBTC or ECHO, the timing isn't great — liquidity has tightened, and the attacker still holds roughly 955 eBTC, which could hit any exchange at any moment.
What's unresolved
Echo Protocol hasn't said when cross-chain operations will resume. The investigation is ongoing, and the attacker's remaining stash is still out there, untouched for now. Whether the stolen eBTC can be frozen or clawed back depends on how much deeper the attacker's control goes — and on whether any bridge or exchange can identify those funds before they move again.
