An attacker minted roughly 1,000 unbacked eBTC worth $76.7 million on Echo Protocol's Monad deployment by compromising a single admin key, though the realised loss was around $816,000 after the team regained control and burned the remaining tokens.
An attacker minted roughly 1,000 unbacked eBTC on Echo Protocol's Monad deployment on May 19, briefly inflating the supply of a Bitcoin-pegged token by about $76.7 million before the team froze the contract. The real money that left the system was closer to $816,000, almost all of it laundered through Tornado Cash. The remaining 955 eBTC have been burned.
Echo Protocol confirmed in a post-incident statement that the breach "originated from a compromised admin key affecting the Monad deployment." There was no clever exploit chain, no obscure rounding error in a smart contract, no flash-loan choreography. One private key with too much authority did the entire job. The attacker used it to assign themselves DEFAULT_ADMIN_ROLE and MINTER_ROLE, revoked the original admin, and minted at will.
The attack flow tells you what the key was actually worth. The hacker took 45 of the freshly minted eBTC — about $3.45 million at notional value — and posted it as collateral on Curvance, the Monad-native money market. They drew approximately 11.29 WBTC against it, bridged the WBTC to Ethereum, swapped into 384 ETH, and routed the proceeds through Tornado Cash. That is the entire realised loss. The other 955 eBTC sat in a wallet long enough for Echo to regain admin control and burn it.
Echo is a Bitcoin-focused DeFi protocol that lets BTC holders bridge to Monad, the high-throughput EVM chain that opened mainnet earlier this year. eBTC is the wrapped representation. Minting 1,000 of them with one signature was supposed to be impossible — not because the math forbids it, but because no production system should ever let one key do that much. The attack is the third major DeFi failure this month rooted in concentrated admin authority rather than smart-contract bugs.
That pattern is now the headline risk in the sector. Wasabi Protocol lost $4.55 million in late April because a single wallet held the admin role across the entire system. The 1inch liquidity provider drained for $6.7 million on May 13 hit because an allowlist function had no access control at all. Now Echo. The contracts in each case were unremarkable; the operational security around them wasn't. Audits look at code. They cannot look at how a team rotates keys, who has them, and whether multisig thresholds match the value at risk.
Echo's response has been textbook for what it is — fast contract pause, cross-chain functionality halted on Monad, an upgrade to "restrict affected operations and strengthen control over sensitive functions." The team claims it regained the admin keys after the attacker started moving funds, which is what allowed it to torch the 955 eBTC still sitting in the attacker's wallet. The bridge remains paused as of writing.
The cryptographic distinction between $76 million minted and $816,000 extracted matters more than the headline number suggests. eBTC's peg can only survive if the market believes every token is backed one-for-one by Bitcoin held in custody. The moment 1,000 unbacked units exist, the peg becomes a question of how fast the protocol can claw them back versus how fast the attacker can sell them. Echo won that race because the attacker bottlenecked themselves on Curvance — Monad's DeFi liquidity is thin enough that swapping 1,000 eBTC into anything liquid would have crashed the price before the bridge could move it.
That's a feature of the still-narrow market the attacker exploited, not a feature of the protocol. On Ethereum, with deeper pools and more bridges, the same key compromise would have resulted in a substantially larger loss. Monad is young enough that the routes out are not yet built. Future attackers using the same vector on more mature deployments will not have that problem.
The implication for Monad itself is the more uncomfortable one. The chain has positioned itself as the EVM-compatible high-throughput layer, and Echo was one of its flagship Bitcoin DeFi integrations. Total value locked across the chain is in the low billions; an incident at this scale dents the trust required to attract the next wave of deposits. Echo says it will publish a full post-mortem. The question Monad's other protocols should be asking is whether their own admin key setups would survive the same audit.
According to onchain analyst PeckShield, who first flagged the mint, this is now the 14th separate DeFi exploit recorded in May 2026. The cumulative loss across those incidents has not yet been published, but TRM Labs reported in late April that North Korea alone accounted for 76 per cent of stolen crypto value for the year through two attacks — a figure that will need updating now. Echo Protocol has said it will reimburse users affected by the realised loss, though it has not yet specified the mechanism or timeline. The compromised key is the only thing that has been confirmed; everything else, including how the attacker obtained it, remains under investigation.
