Bitcoin-focused DeFi protocol Echo suffered an exploit on Monday, with attackers targeting eBTC, Echo's bitcoin liquidity token issued on Monad. The root cause was a compromised admin key affecting the Monad deployment, as announced by Echo on Tuesday at around 2:30 a.m. ET. Approximately $816,000 was stolen in the attack, marking the latest in a series of DeFi security breaches this year. Echo has since regained control of the keys and burned the remaining 955 eBTC held by the attacker.
## Attack Timeline and Mechanics
The exploit was first flagged by pseudonymous crypto influencer DCF GOD on X at around 5:55 p.m. ET on Monday. According to onchain analytics firm Onchain Lens, the attacker minted 1,000 eBTC and deposited 45 eBTC to DeFi lending protocol Curvance as collateral to borrow approximately 11.29 WBTC, worth roughly $867,700 at the time.
The exploiter then bridged the WBTC to Ethereum and swapped the tokens into 385 ETH (Ether). The ETH was subsequently moved to Tornado Cash, a crypto mixer.
Before Echo's announcement, the attacker held 955 eBTC, worth $73.2 million, according to onchain analytics firm Lookonchain. As noted by DefiPrime Founder Nick Sawinyh, "The other 99% of the fake supply is parked on the attacker's wallet, because Monad's lending and DEX depth can't absorb more."
## Official Responses and Network Status
Modan Co-founder Keone Hon confirmed that security researchers determined approximately $816,000 was stolen and assured that the Monad network itself was not affected by the exploit.
Curvance stated that its fully isolated market architecture shielded other markets from being affected and found no indication of compromise with its smart contracts. Curvance paused the affected Echo eBTC market out of caution.
## Echo's Remediation Actions
Echo announced that it has successfully regained control of the compromised admin keys. The protocol burned the 955 eBTC that remained in the attacker's possession.
Echo confirmed there is no evidence of compromise on Aptos, where the protocol maintains a large presence as a multi-chain BTCFi platform. However, Echo paused cross-chain functionality for the Monad deployment and Aptos bridge operations out of caution.
## Broader DeFi Security Context
The Echo exploit occurred amid a wave of DeFi attacks. According to DefiLlama, there had been 13 security breaches on DeFi protocols in the month prior, including an $11.6 million exploit on Verus' Ethereum bridge that occurred on May 17.
