Every Stolen Token.
Bought Back.
On December 11, 2025, malware drained the founder's wallet and part of the company treasury. The structural defenses held. The operational holdings fell. The company executed a full buyback. This page is the record.
The supply that was stolen had originally been earmarked for free distribution — community, ecosystem, long-term builders. The buyback paid real capital to reacquire supply that was originally meant to be given away.
No buyback was owed. ZARO has always been a digital collectible with no intrinsic value, no investment relationship, no refund mechanism. The legal disclosures on this site, from day one, have said exactly that. The buyback was funded by the founder personally.
The renounced contract did not allow a single new token to be minted. Every ZARO that exists today existed before December 11, 2025.
The numbers
~$72,546
USD value drained
across ETH + BNB Chain
45 min
duration of the attack
multi-wallet structure slowed it
100%
of stolen supply reacquired
across Path 1 + Path 2
$0
paid by holders
buyback funded by founder personally
Timeline
Each event is on-chain or document-backed. Sourced from the /history chronological record.
Dec 11, 2025 · 7 PM Dubai
The drain begins
A piece of malware delivered as a spoofed AI website (alliai.us) compromises the founder's email. The attacker begins draining wallets. The structural defenses — renounced contract, 255-year LP lock, multi-wallet treasury — hold. The operational holdings fall.
Dec 12, 2025 · 6 AM Dubai
Founder Message #3 published
Before any criminal report is filed, before the forensic firm is engaged, before any buyback begins — the founder publishes the incident publicly. To everyone he knows. On X. In the wreckage.
Read Founder Message #3Dec 16, 2025
Collisionless forensic report published
A Chainalysis-vetted blockchain investigative firm — Collisionless Global Technology Services Inc. — completes a third-party forensic investigation. Traces stolen-asset flow, identifies the consolidation wallet, maps the dust-funding pattern, identifies an upstream funding wallet with material historical exposure to Binance and Gate.io.
Forensic report (PDF)Dec 23, 2025
Dubai Police Cyber Crime Unit case opened
Criminal case 225004194871 filed. Open.
Late Dec 2025
Canadian Anti-Fraud Centre case opened
Reference 2025-9763-2352-2 — filed for the Canadian nexus of the malware code-signing certificate.
Dec 2025 – Jan 2026
Path 1 — Direct OTC buyback from individual holders
The company offers a voluntary buyback to every verified pre-Dec-11 buyer. Settlement is at original USD purchase price, not at current ETH price. Buyers who acquired during ETH's high-price window are made whole in dollars — the company absorbs the difference between the two ETH price regimes.
Feb 2 – Feb 14, 2026
Path 2 — Open-market buyback through Uniswap
The company executes on-chain buybacks through the public Uniswap V2 pool — at prevailing market price, same access any buyer had. Largest transactions on Feb 12, 13, 14. Independently verifiable on third-party chart data.
Verify on DexScreenerResult
Every stolen token was reacquired
The supply that was stolen was bought back. Funded by the founder personally. No new tokens were minted — the renounced contract makes that impossible. Every ZARO that exists today existed before December 11, 2025.
The dollar-anchored buyback
Most ZARO buyers had acquired tokens between August and October 2025 — when ETH traded at or near its all-time high of approximately $4,829. By the buyback window in early 2026, ETH had declined to roughly $1,800–$2,500.
The company paid each Path 1 buyer's original USD purchase price — not the equivalent in ETH. A buyer who originally spent the dollar equivalent of $1,000 received $1,000. The company absorbed the difference between the two ETH price regimes.
That decision wasn't required. It was the explicit posture: treat early buyers like the company itself had asked them to participate, even though the legal disclosures had always said the opposite.
What held
The structural defenses worked exactly as designed. The breach didn't come through the contract — it came through a piece of consumer malware on a personal machine.
Renounced contract
Owner = zero address. The attacker could not mint a single new token. Total supply remained 1,000,000,000 throughout.
255-year LP lock
300M ZARO + 6 ETH at UNCX. Untouchable. The pool kept its floor. The attacker could not drain liquidity.
Multi-wallet treasury structure
The treasury supply was split across ten wallets, each holding only ZARO — no gas. The attacker had to fund each wallet with ETH before moving the ZARO. That bottleneck slowed the drain by orders of magnitude.
Bridge backing on Ethereum
The Wormhole and OP Stack escrows holding the 1:1 backing for bridged supply on Base, BNB Chain, and Solana were never at risk. Cross-chain holders were unaffected.
What changed
- Hardware wallet custody. No more browser-extension wallets for treasury-grade signing.
- Public Security Advisory published with technical indicators (IOCs) so other projects can defend against the same vector.
- Operational tightening across the company's signing surfaces.
Receipts
Every claim above is independently verifiable. Click any line to open the source.
Consolidation wallet (attacker)
0x905E6190409A49A702B39aF2CA4D8c0731baE03E
Upstream funding wallet (identified by Collisionless)
0xa10DaEE56eB92bEA16d4011D2A2e21727BC8a616
Material historical exposure to Binance and Gate.io per the forensic report.
Collisionless investigation report (PDF)
Dec 16, 2025
Public Security Advisory (IOCs)
github.com/zarocoin/.../2025-12-11-malware-compromise/
Founder Message #3 — The Decision
First-person account, Dec 11–12, 2025
DexScreener — Path 2 buyback activity
Feb 2–14, 2026
"One day, this will most likely be part of the 'early days' chapter in a future ZARO movie."
— Shihab Khalil, Founder Message #3, December 12, 2025