An unidentified attacker drained approximately $2.1 million from the deprecated Aztec Connect platform on Sunday, June 14, 2026, marking a rare security breach on a system that had been dormant for years. Blockchain security firms CertiK and BlockSec confirmed the incident, which targeted the Aztec Connect Router contract on the Ethereum blockchain.
Despite the platform being officially shut down in 2023, lingering assets remained in the immutable smart contracts, providing a window for the exploiter to strike.
Aztec Labs and the Aztec Foundation released statements on Monday acknowledging the vulnerability, which allowed the attacker to manipulate the platform’s transaction verification process. The breach involved seven distinct transactions, through which the perpetrator siphoned 909 ETH, 270,000 DAI, and 167 wrapped staked ETH (wstETH).
Security analysis by CertiK identified the attacker’s wallet as 0x0f18d8b44a740272f0be4d08338d2b165b7edd17, which had been previously funded via the privacy mixer Tornado Cash.
The incident serves as a stark reminder of the risks associated with “ghost” contracts in the decentralized finance space. Even after developers move on to new projects, the code remains active on the blockchain. This vulnerability appears to mirror other recent industry concerns regarding com/stablr-exploit-unbacked-stablecoin-issuance-analysis/”>unbacked asset issuance, where flaws in contract logic lead to the creation of illegitimate balances that can be withdrawn as real capital.
Manipulation of zero-knowledge proofs leads to Aztec Connect drain
The technical root of the exploit lay in a mismatch between the platform’s zero-knowledge proof verification and the final settlement on the Ethereum mainnet. By exploiting this discrepancy, the attacker manipulated the verification path, tricking the smart contract into recognizing value that had never actually been validated. This allowed for the generation of unbacked balances across multiple digital assets, which were then swapped and withdrawn.
Aztec Connect originally launched in 2022 as a privacy-centric DeFi bridge, but Aztec Labs announced its deprecation on March 12, 2023. While deposits were disabled shortly after, the contracts remained live to allow users to withdraw their holdings. However, approximately $2.1 million was never claimed by its rightful owners, leaving a pool of liquidity that eventually attracted the current exploit.
Because the developers renounced their admin keys in 2024, the contracts became fully immutable. This move, intended to ensure total decentralization, now means that Aztec Labs cannot pause the system or patch the flaw to prevent further drain. The team confirmed through social media that they have no mechanism to intervene, as they no longer possess any control over the deprecated infrastructure.
Separation from the current Aztec network and user assets
In the wake of the news, the Aztec Foundation was quick to clarify that the current Aztec Network remains entirely unaffected by this breach. The modern network operates on a separate architecture focused on private smart contracts and does not rely on the legacy Connect bridge. Furthermore, the AZTEC ERC20 token remains secure, as it is not linked to the compromised router contract.
The market has seen similar situations where legacy code causes unexpected turbulence. For instance, traders often look for market stability signals when such headlines break, but the isolated nature of this event has prevented a wider selloff. Aztec Labs emphasized that only the old, abandoned platform was at risk, and no funds on the active mainnet have been touched.
Crypto developer Param, who tracks DeFi security, noted that the incident highlights a growing problem of abandoned protocols. He explained that as the industry matures, the “ticking time bombs” of 2022-era code continue to exist on-chain. This highlights why some analysts believe the market is still in a phase of com/bitcoin-signals-market-structure-analysis-2026/”>shifting market structure, where purging old vulnerabilities is a painful but necessary part of the evolution.
Timeline of the Aztec Connect shutdown and subsequent exploit
- March 12, 2023: Aztec Connect deprecation was officially announced.
- March 31, 2023: Deposits into the platform were permanently disabled.
- March 31, 2024: Aztec Labs stopped running the sequencer, making withdrawals manual.
- Late 2024: Admin keys were renounced, making the contracts immutable.
- June 14, 2026: Attacker exploits verification flaw to drain $2.1 million.
As the attacker’s funds remain in the identified wallet, security teams and exchanges are likely monitoring the 0x0f18 address for any movement toward off-ramps. However, given the initial use of Tornado Cash, recovery of the stolen $2.1 million remains unlikely. The industry’s focus now turns to whether other deprecated platforms house similar dormant risks that could be targeted in the future.