Zoth’s security defenses crumbled like a digital house of cards on March 21, 2025, when hackers drained a staggering $8.85 million from the protocol. The attack, which targeted a proxy contract using compromised admin privileges, marks the second breach in just two weeks. Remember that first hit on March 6th? A mere appetizer at $285,000 compared to this main course of digital theft.
The hackers’ method was devastatingly simple: they obtained a private key. With that golden ticket, they upgraded a contract called “USD0PPSubVaultUpgradeable” to connect to their malicious code. No fancy zero-day exploits needed—just good old-fashioned key theft. The entire operation took minutes, not hours.
Sometimes the most devastating attacks aren’t technical marvels—just a stolen key and a few minutes of execution.
Once inside, the attackers converted the stolen USD0++ tokens to DAI, then quickly swapped to ETH before transferring everything to an external wallet (0x7b0c…60cf). Follow the money and you’ll find it leads back to ChangeNOW, suggesting a carefully planned exit strategy. The hackers exchanged the stolen funds for approximately 8.3 million DAI to make tracking more difficult.
This hack brings Zoth’s total losses to approximately $9.13 million. The company has taken its website offline for “maintenance”—code for “we’re in crisis mode.” The breach dealt a significant blow to Zoth’s ZeUSD stablecoin which is backed by their tokenized liquid notes. Users could have potentially prevented losses by storing their assets in hardware wallets rather than leaving them vulnerable on the platform. They’ve dangled a $500,000 bounty for anyone who can identify the perpetrator, but that’s small comfort to users wondering if they’ll ever see their funds again.
The breach highlights a persistent weakness in DeFi: centralized control points. When one key controls millions, that key becomes a juicy target. Want to avoid becoming the next victim? Demand protocols implement multisig wallets, timelocks for upgrades, and real-time alerts for admin changes.
This incident fits into a troubling pattern across the industry, with February 2025 alone seeing over $1.5 billion vanish from platforms like Bybit and zkLend. The message is clear: in crypto, you’re only as secure as your weakest link. For Zoth, that link snapped twice in one month, leaving investors wondering not if but when the next attack will come.
