Echo Protocol's eBTC token was drained of $77 million after an attacker compromised an administrative key. The hacker has already moved nearly 5% of the stolen funds through Tornado Cash, but still controls the remaining 955 eBTC — roughly 95% of the haul.
How the attack happened
The exploit targeted the project's admin key, a privileged credential that allowed the attacker to directly access and transfer eBTC tokens. Such keys are typically held by the protocol's team for management tasks, but a single compromised key can unlock the entire vault. Echo Protocol has not yet detailed how the key was exposed, though the scale and speed of the theft point to a direct breach rather than a smart-contract bug.
Funds funneled through Tornado Cash
Within hours of the exploit, the attacker began laundering proceeds through Tornado Cash, a crypto mixer that obscures transaction trails. Nearly 5% of the stolen funds — worth around $3.85 million at current prices — have been sent through the mixer so far. Tornado Cash has been under U.S. sanctions since 2022, but remains operational on the Ethereum network, often used by hackers to break the on-chain link between source and destination wallets.
The bulk of the loot, however, hasn't moved. The attacker still holds 955 eBTC, worth approximately $73 million. That stash sits in wallets that are publicly visible but effectively frozen until the hacker attempts to cash out or launder it further.
What's at stake for eBTC holders
Echo Protocol's eBTC is a liquid-staking token pegged to Bitcoin, meant to let users earn yield while keeping exposure to BTC. The $77 million drain represents a large chunk of the project's total value locked. Users holding eBTC on the platform are now exposed to potential losses, though the protocol may attempt to recover funds through negotiations or insurance if any exists. No recovery plan has been announced yet.
The incident adds to a growing list of DeFi exploits tied to key management failures. Unlike code-based bugs that can be patched, a compromised admin key often means the attacker has full control and little incentive to return funds unless a bounty is offered.
For now, the hacker's next move is the open question. The remaining 955 eBTC could be laundered in chunks through mixers, dumped on a decentralized exchange, or held as leverage for a ransom negotiation. Echo Protocol has not publicly reached out to the attacker, and affected users are waiting for answers.
