.png){kind=small}
In early May 2026, Ekubo reported an active security incident affecting its EVM swap router environment. Public reporting and Revoke.cash identify the incident as an approval-based exploit that placed users with active approvals to specific Ekubo contracts at risk, rather than a compromise of Ekubo’s Starknet deployment or liquidity provider positions. This distinction matters for compliance teams because the loss path appears to originate from user-granted token permissions, not a broad protocol reserve drain.
The primary exploiter address identified in the provided tracing data is:
0xa911ff351b143634dbc5af3e204ea074583a83e3
The exploit reportedly unfolded across approximately 85 transactions and drained around 17 WBTC from at least one affected user. Public sources describe the funds as subsequently converted into WETH and DAI, while the provided Tracker graph shows additional movement into privacy infrastructure. Source type: third-party reporting and provided on-chain graph. Confidence: high confidence for loss scale and approval vector, suspected for complete downstream laundering path until all hops are independently verified.
The affected contracts listed for review are:
Ethereum V2: 0x8CCB1ffD5C2aa6Bd926473425Dea4c8c15DE60fd
Ethereum V3: 0x4f168f17923435c999f5c8565acab52c2218edf2
Arbitrum V3: 0xc93c4ad185ca48d66fefe80f906a67ef859fc47d
Users with historical approvals to these contracts should revoke or reduce active allowances immediately. Revoke.cash lists Ekubo as a known approval exploit discovered on May 6, 2026, with Ethereum and Arbitrum marked as affected networks.
The provided graph indicates that the exploiter received approximately $1.33M from the exploited Ekubo-linked path on May 5, 2026. A second inbound path from a DeFi-labeled node reflects multi-asset movement involving WBTC, DAI, USDC, WETH, and ETH. Source type: provided on-chain graph. Confidence: high confidence for graph-visible flows, suspected for any interpretation beyond the displayed transactions.
Hop 1: Victim or approval-exposed wallet activity appears to have been routed through the exploit contract path into the main exploiter wallet. The graph labels execution from an Ekubo.org-linked address toward an exploit contract, then onward to the main exploiter. This is consistent with an approval-abuse exploit where the vulnerable contract becomes the transfer mechanism rather than the final custody point.
Hop 2: The main exploiter then interacted with a DeFi route involving WBTC, DAI, USDC, WETH, and ETH. This suggests rapid asset conversion after the drain, likely to move away from the originally stolen WBTC and into assets with deeper liquidity.
Hop 3: The main exploiter sent approximately $1.36M into Railgun in two visible transfers on May 5 and May 6, with values shown near $1,357,792.29. The graph annotation states that the actor deposited multi-asset funds into Railgun and withdrew approximately one to two hours later.
Hop 4: The exploiter subsequently swapped the Railgun withdrawn assets into ETH and sent approximately 577 ETH, valued around $1.34M, to Tornado Cash on May 6. This is a strong laundering indicator because the flow shows rapid conversion and privacy-layer interaction shortly after the exploit.
The visible laundering pattern combines consolidation and privacy routing rather than broad fan-out. The main exploiter appears to function as the central collection wallet before funds are pushed through privacy infrastructure. This creates a higher-risk exposure profile for counterparties that received funds within one to three hops of the exploiter.
No state-actor attribution is supported by the available evidence. Privacy-tool usage is a laundering behavior indicator, not an attribution signal. Any actor-level label would require convergent evidence such as reused infrastructure, funding links, operational overlap, malware indicators, or prior case linkage.
Direct exposure applies to wallets that receive funds from the main exploiter address or from the visible post-exploit privacy withdrawal paths. Indirect exposure applies to counterparties within one to three hops where timing, value continuity, and asset conversion are consistent with the exploit proceeds.
For VASPs, the strongest escalation triggers are direct receipts from 0xa911ff351b143634dbc5af3e204ea074583a83e3, inbound funds matching the post-exploit timing window, or deposits following privacy-protocol exits with value continuity near the reported loss amount. SAR review may be appropriate where a customer receives funds shortly after the exploit, especially if the customer attempts rapid conversion, layering, or withdrawal.
Freeze potential depends on custody position, jurisdiction, and evidentiary strength. Direct inbound funds from the exploiter are higher confidence. Funds emerging after privacy routing require careful treatment as risk indicators unless the withdrawal path can be independently linked through timing, amount, address reuse, or additional clustering signals.
Users should revoke or reduce approvals to the listed Ekubo EVM contracts on Ethereum and Arbitrum. Compliance teams should place the main exploiter address and downstream privacy-interaction wallets on enhanced monitoring, with alerting for direct receipts, one-to-three-hop exposure, rapid asset conversion, and deposits following privacy-layer exits.
Merkle Science can help compliance teams screen for direct and indirect exposure to the Ekubo exploiter path, prioritize high-confidence risk, and separate verified proceeds from unconfirmed laundering indicators. Get in touch to find out more.
