Skip to content
Est. MMXXVIVol. VI · № 286RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 277Private Key Compromise

Echo Protocol eBTC Admin Key Mint

An attacker minted 1,000 unbacked eBTC (~$76.7M nominal) on Echo Protocol via an admin-key compromise, used it as Curvance collateral, and extracted ~$821K through Tornado Cash before containment.

Date
Victim
Echo Protocol
Chain(s)
MonadEthereum
Status
Partially Recovered

On May 19, 2026, the Monad-based wrapped-BTC issuer Echo Protocol was hit by an admin-key compromise that allowed an attacker to mint 1,000 unbacked eBTC with a nominal face value of approximately $76.7 million. The attacker used a slice of the mint as collateral on the Curvance lending market integrated with Echo, borrowed wBTC against it, bridged to Ethereum, and laundered 384 ETH ($821,700) through Tornado Cash before Echo and Curvance suspended the affected markets. The headline $76.7M figure reflects the maximum value at risk from the unbacked mint; the actual extracted loss is roughly $821K, with the remainder contained by rapid pausing.

What happened

Echo Protocol issues eBTC as a wrapped-BTC representation on the Monad L1, with cross-chain functionality to bridge eBTC to Ethereum and other networks. The mint authority for eBTC was gated by an admin key. The Echo team has not publicly disclosed the precise compromise vector — the laundering pattern and timing are consistent with the broader 2025-2026 pattern of endpoint-level admin-key compromise (phishing, malware, or supply-chain), but no specific attribution has been published.

The attack chain:

  1. The attacker, in control of the eBTC admin key, minted 1,000 eBTC to an attacker-controlled wallet — a mint with no underlying BTC backing.
  2. The attacker deposited approximately 45 eBTC (nominal ~$3.45M) into Curvance, which had Echo's eBTC whitelisted as collateral, and borrowed 11.3 wBTC (~$868K) against it.
  3. The borrowed wBTC was bridged from Monad to Ethereum via the protocol's standard cross-chain path.
  4. The wBTC was swapped for ETH, producing 384 ETH (~$821,700), which was sent to Tornado Cash.
  5. Echo Protocol detected the unbacked mint and suspended cross-chain activity for eBTC; Curvance independently paused its eBTC market to prevent further borrows against the unbacked collateral.
  6. The remaining ~955 minted eBTC was effectively stranded — held by the attacker but unable to be deployed as collateral anywhere or bridged to a venue that would honour it.

Aftermath

  • Echo Protocol paused cross-chain activity for eBTC.
  • Curvance paused its eBTC lending market, preventing further borrows against the unbacked tokens.
  • Actual extracted value: ~$821K in ETH through Tornado Cash.
  • Nominal value at risk: $76.7M — the worst-case if the full unbacked mint had been deployed as collateral and borrowed against before containment.
  • No public recovery of the laundered ETH.
  • Echo Protocol committed to a public review of admin-key custody and signalled a move to a multi-sig with timelock for future mint authority.

Why it matters

Echo Protocol is a useful catalogue entry because it illustrates the gap between nominal and realised loss in admin-key incidents. The same admin-key compromise pattern at a less-contained target would have produced a $76.7M loss — the attacker had the unbacked supply, and only rapid pausing by Echo and Curvance prevented its deployment.

The structural pattern is identical to Wasabi Protocol (Apr 30, 2026, $5M) — a single admin key with mint or upgrade authority over a large pool of value, compromised at the endpoint level. The 2026 pattern across both:

  • No timelock between admin action and execution.
  • No multi-signature requirement for value-creating operations.
  • Cross-chain reach — once the unbacked asset exists, the attacker bridges it before any single chain's monitoring can react.

The defensive variables that determined Echo's relatively contained outcome:

  1. Fast detection — the unbacked mint was visible on-chain immediately, and the integrated lending venue (Curvance) was monitored closely enough to catch the abnormal borrow within the same hour.
  2. Coordinated pausing between issuer and integrating protocols — Curvance's willingness to pause its eBTC market on incomplete information limited the attacker's borrow surface.
  3. Cross-chain bridge throughput — the attacker only managed to extract a small fraction of nominal value before pausing took effect, in part because high-value bridges have rate limits.

What didn't work was prevention: the admin-key configuration that allowed the unauthorised mint was the same single-EOA-with-mint-authority pattern that the broader catalogue has been documenting incident-by-incident through 2025-2026. The May 19 Echo incident sits inside the same five-day cluster as THORChain (May 15, ~$10.8M signing-scheme exploit) and the Verus-Ethereum bridge (May 18, $11.58M value-binding gap), making mid-May 2026 the period when the year's "bridges and cross-chain are back as the dominant target" thesis crystallised in the security-monitoring community.

Sources & on-chain evidence

  1. [01]cointelegraph.comhttps://cointelegraph.com/news/echo-protocols-ebtc-exploited-for-76m-in-admin-key-compromise
  2. [02]cryptoninjas.nethttps://www.cryptoninjas.net/news/echo-protocol-hack-sparks-76m-panic-after-hacker-mints-fake-ebtc-and-drains-eth/
  3. [03]cryptotimes.iohttps://www.cryptotimes.io/2026/05/19/echo-exploit-hacker-moves-821k-through-tornado-after-ebtc-mint/
  4. [04]beincrypto.comhttps://beincrypto.com/echo-protocol-monad-exploit-may-hacks/

Related filings