Stolen Admin Key Mints 1,000 eBTC; Echo Loses $816K

On May 18 an attacker used a stolen Echo Protocol admin key to mint 1,000 eBTC on the Monad network. The tokens had a notional value of $76.7 million. Monad’s underlying network was not compromised.

The attacker used the compromised administrative wallet to grant themselves contract privileges and then minted 1,000 eBTC with no Bitcoin backing. Echo’s eBTC deployment on Monad is separate from its aBTC deployment on Aptos; the incident affected only the Monad deployment. The eBTC contract relied on OpenZeppelin role-based access control and the DEFAULT_ADMIN_ROLE was held by a single externally owned account without timelocks, mint caps or rate limits.

Instead of attempting to sell the full supply on spot markets, the attacker deposited 45 eBTC as collateral into Curvance, a lending market on Monad. Curvance accepted the tokens as collateral and the attacker borrowed about 11.29 WBTC, roughly $868,000. The borrower bridged WBTC to Ethereum, swapped it for about 384 ETH and routed the ETH through Tornado Cash. Security reviews and Monad team estimates place the cashout at about $816,000.

Echo regained control of the admin key, burned the remaining 955 eBTC linked to the incident and paused affected functions on Monad. The team also paused the Aptos bridge and related lending markets as a precaution. Curvance paused its eBTC market and confirmed that its isolated-market design prevented losses from spreading to other pools.

Echo posted that it “identified unauthorized activity involving eBTC on Monad that resulted in unauthorized minting and associated fund loss” and reported an investigation pointing to a compromised admin key on the Monad deployment. Monad co-founder Keone Hon tweeted that security researchers estimate roughly $816,000 was taken in the exploit.

Industry tracking shows DeFi losses in 2026 exceeded $1 billion in the first four months of the year, with about $634 million lost in April across more than two dozen incidents. Bridge exploits, compromised admin keys, spoof tokens and private key compromises account for the largest shares of those reported losses.

Protocol teams and auditors have listed controls that were not in place on the affected deployment: multisignature admin control, timelocks for role and mint changes, mint caps, rate limits and on-chain checks to reject freshly minted collateral. Echo said it will apply patches to other EVM bridge deployments and update its admin controls following the incident.