History

Before the token was deployed, the company structure was put in place.

ZaroVerse Ltd was incorporated in the British Virgin Islands on August 1, 2025, under Company Number 2183451. The British Virgin Islands was selected as the parent-company jurisdiction because it offers a well-established legal framework for technology and entertainment businesses, recognized international standing, and a corporate law tradition that supports clear separation between the company as a legal entity and the founder as an individual.

Two operational subsidiaries support the parent company: a United Arab Emirates subsidiary for retail and e-commerce activity, and a Jordan subsidiary positioned for long-term expansion of the ZaroVerse entertainment universe.

The corporate purpose of ZaroVerse Ltd is to build, own, and operate a transmedia entertainment universe. This includes published fiction (the cosmic science-fantasy saga that opens with the trilogy The Yellow Spark), associated lore and reference materials, planned animation and games, merchandise (the ShopZaro brand), a podcast on Spotify, Apple Music, and Amazon Music, and a cultural on-chain artifact in the form of the ZARO token. The token is one layer of this universe — its documentation on-chain — not its commercial vehicle.

A note on the founder's other work: Shihab Khalil, the founder of ZaroVerse Ltd, also operates a separate global fintech platform that he founded nearly two decades ago. That platform is not connected to ZaroVerse Ltd in any way — different jurisdiction, different audience, different regulatory posture, different corporate identity. The wall between the two businesses is deliberate and is maintained at every level: ownership, branding, communications, and operations. The founder is publicly identified on this site and accountable for ZaroVerse's actions; the separate fintech business is not addressed here for the same reason one wouldn't expect a film studio's website to discuss its director's unrelated investment firm.

On June 30, 2025, ZaroVerse Ltd deployed the ZARO Coin contract on Ethereum mainnet. The launch was structured as a four-step sequence intended to leave no administrative control over the token in the company's hands once complete.

Step 1 — Contract deployment. The token contract was deployed as a minimal-proxy clone of Thirdweb's audited ERC-20 template (the same template OpenZeppelin has audited for general use). Total supply was minted at deployment: 1,000,000,000 ZARO, fixed. No mint function, no pause function, no blacklist, no transfer cooldown, no anti-whale toggles. Eighteen decimals. Zero tax on buys, sells, or transfers.

Contract address:
0xc311FD6DA9686507F33991543d8158EF5FaDd5E7

Step 2 — Liquidity seeded. The company seeded the Uniswap V2 ZARO/WETH pool with 300,000,000 ZARO (30% of total supply) paired against 6 ETH from the company's own funds, borrowed from the founder. The resulting liquidity pair is at:

0x53085839A2Ee860E58108665825Fc7Ef5e061213

The starting per-token price implied by the initial pairing was 0.00000002 ETH per ZARO. This is the public launch price.

Step 3 — Liquidity locked for 255 years. All LP tokens received from seeding the Uniswap pool were transferred to UNCX, a third-party liquidity locking service, and locked for 255 years. The company cannot withdraw the LP, modify the lock duration, or recover the underlying ZARO and ETH from the pool. The lock is enforced by smart contract.

Lock transaction:
0xbb17a0d05a167047fb478c9769badaed00fa40e964a54d2917181420d26f4581

Step 4 — Contract renounced. Ownership of the ZARO contract was transferred to the zero address. After this transaction, no party — including the founder, the company, or any third party — can modify the contract, mint additional tokens, or alter any contract parameter. The contract is mathematically immutable.

Renounce transaction:
0x15e4739956e05a80d03cd258eb6a35d7ace2406b7c49a99bc8aa7f7c8fbb3b8a

After these four steps, the supply was permanently fixed at one billion ZARO. Thirty percent sat in the locked Uniswap pool, providing tradable liquidity that no party could withdraw. The remaining seventy percent — 700,000,000 ZARO — was held in the company's treasury wallet for the next phase of distribution.

There was no presale, no private round, no team allocation, no VC investment, no influencer distribution, and no insider entry price. The company funded the liquidity from its own resources. Anyone in the world could buy ZARO at the same per-token price by interacting with the Uniswap pool.

Shortly after the launch sequence completed, the founder purchased 195,000,000 ZARO from the company treasury through an over-the-counter transaction at the same per-token price as the public Uniswap pool. He paid 3.9 ETH directly to the company treasury wallet in exchange for the tokens.

The arithmetic is verifiable:

195,000,000 ZARO × 0.00000002 ETH per ZARO = 3.9 ETH

This is the same per-token price anyone in the world could buy ZARO at by interacting with the Uniswap pool on June 30, 2025. The founder did not receive an allocation. He did not receive a discount. He did not enter early. He paid the public launch price in ETH directly to the company.

Both legs of the transaction are recorded on-chain:

Founder paid 3.9 ETH to the company treasury:
0x8bfec6c0fa1ebcf416bf1225bc55cef134b3190c38b2c6a79e94b7cb08d26e9d

Founder received 195,000,000 ZARO from the company treasury:
0x06a3c67288ef42e28fb4b0b6d7b56e6f80a09889f59e27dd78ecd26480681afd

The founder's holdings from this transaction are held at 0x984e23643acABDd447E8969ba08aaE6120A9bC8b and are publicly identifiable on Etherscan and on third-party holder-distribution tools.

The 3.9 ETH received by the company through this transaction was used as operational capital. Specifically: the British Virgin Islands company incorporation and associated legal counsel; the published BVI legal opinion analyzing ZARO's classification under six international regulatory frameworks; CoinMarketCap listing fees (paid twice, due to a separate listing-related scam — see the CoinMarketCap Listing Scam section below); social media account setup and operational expenses across the project's public channels; and other early-stage company setup costs.

Why this matters for anyone evaluating the project:

Most early-stage tokens have a wallet holding 15–25% of supply that researchers identify as a “team allocation” or “founder wallet.” In ZARO's case, the wallet holding 19.5% of supply is the founder's wallet — and it was bought at the same per-token price as everyone else, with the payment to the company verifiable on-chain. There is no allocation, no team-tokens unlock schedule, no vesting cliff. The founder's position is an on-chain purchase, not a grant.

This is the distinction between an allocation (free tokens given to insiders, typically subject to dispute over vesting and lock-up) and a purchase (tokens acquired by payment at a market-equivalent price). Allocations require trust in the project's vesting commitments. Purchases require only verification of the transaction. Both transactions above can be verified by anyone with a browser.

Through the third quarter of 2025, ZARO was bridged from Ethereum to two additional blockchains using Wormhole, an audited cross-chain messaging protocol. Wormhole was selected because it is widely used, independently audited, and well-supported across major wallets and decentralized exchanges.

The bridges work by locking ZARO on Ethereum (the canonical chain) and minting an equivalent representation on each destination chain. This means every ZARO token that exists on BNB Chain or Solana is fully backed 1:1 by ZARO locked on Ethereum. No new supply is created by the bridge; the total supply remains permanently fixed at 1,000,000,000 ZARO across all chains combined.

BNB Chain. The bridged contract is at:

0xa9D72F6C1490647DF20E8Fad3C136cA6AC42c2fc

Following deployment, an initial liquidity pool was seeded on PancakeSwap V2. That pool was withdrawn by the company as a defensive operational decision in the aftermath of the December 2025 security incident (see Section 7 and Section 9 below). The bridged supply that backed it is now held by the company for redeployment.

Solana. The bridged SPL token is at:

AbzXS6NfGvCtg5B1rqZ1JSfoDHkwTAeEYJkWkHhCe38W

Following deployment, an initial liquidity pool was seeded on Raydium. That pool was withdrawn alongside the BNB Chain liquidity for the same reason and at the same time.

Honest framing of the current state. Ethereum is the active trading venue for ZARO. The BNB Chain and Solana deployments exist as bridged infrastructure — the contracts are live, the bridge backing is in place, the chains are addressable — but there are no funded liquidity pools on these chains at this time. The previously seeded pools were withdrawn as a defensive measure following the December 2025 incident, allowing the company to regroup operationally before reestablishing liquidity on PancakeSwap (BNB Chain) and Raydium (Solana).

Any future activation of liquidity on BNB Chain or Solana will be documented in this history record at the time it occurs, with corresponding transaction receipts. No promises are made here about timing.

After the launch sequence completed and the founder's OTC purchase was recorded, the company treasury held 505,000,000 ZARO — fifty point five percent of the total supply.

This treasury was held for one purpose: community distribution. Airdrops to early supporters of the universe, holder-recognition rewards, ecosystem grants to creators producing work within the ZaroVerse, philanthropy disbursements under the company's published 5% pledge, and any other distribution mechanism the company chose to undertake in service of building the universe's audience.

The treasury was not held to be sold. The company never offered tokens for sale, never operated a token-sale storefront, never priced any portion of the treasury for market acquisition. The treasury existed to be given.

The 5% philanthropy pledge was honored under this structure for as long as it could be — the commitment was real, the allocation was earmarked, and disbursements were made during the period the treasury was intact.

This distinction matters for what follows in Section 7. When the treasury was compromised, the supply that was taken was the supply that had been earmarked for community distribution — not the founder's holdings, not the locked LP, not any allocation that the company itself was attempting to sell. The attack took the company's distribution capacity. It took the supply that was meant for the community. It took the supply that was meant for charity. It took what was intended to be public good.

The company's response — documented in Sections 8, 9, and 10 — was to reconstitute that capacity through on-chain purchase at market price, rather than to mint replacement tokens (which would not have been possible, since the contract was renounced) or to walk away from the project (which the founder declined to do). The full treasury that exists today was freshly bought back from the open market with founder capital. The philanthropy commitment, the community distribution intent, and the public-facing nature of what the treasury was for remain. The structure has changed; the purpose has not.

The treasury wallet structure and the on-chain balances at any point in time are independently verifiable on the relevant blockchain explorers. The company does not need to attest to a number that anyone with a browser can check.

On December 11, 2025, the company treasury was compromised through a malware-based credential theft. The breach vector was a non-hostile domain takeover: the previously-legitimate alliai.us domain had lapsed in 2024 and was re-registered in August 2025 by an unidentified party who used it to distribute a malware-laced installer presented as an AI tool. The installer harvested credentials from the founder's machine, compromised the linked Google account, and provided the attacker with access pathways to wallet credentials stored in cloud-linked services.

The drain occurred between 14:56 and 15:41 UTC on December 11 — approximately seven PM Dubai time, lasting forty-five minutes. The attacker moved approximately $72,546 USD worth of assets across Ethereum and BNB Chain into a single consolidation wallet:

0x905E6190409A49A702B39aF2CA4D8c0731baE03E

The stolen composition: 21.58 ETH, 5.63 BNB, and 130.48 USDT. The attacker dumped stolen ZARO supply through the Uniswap pool to convert it to ETH, which was then routed to the consolidation wallet. From the outside, the price action looked like a coordinated exit. The chart crashed visibly. The community panicked.

What was unaffected. The renounced contract held. The 255-year LP lock held. The bridge backing on Ethereum was never at risk. The structural defenses of the project itself remained intact. What the attacker accessed was the operational treasury — the supply held for community distribution — not the architecture of the token.

What the founder did during the drain. The realtime defensive response during the forty-five-minute window — including the role of the deliberately-split ten-wallet treasury structure, the temp-wallet purchases interleaved with the drain transactions, and the personal experience of the night — is documented in first-person in Section 8 below. The account in Section 8 is the canonical record of what happened during the drain itself.

Forensic backing. A full third-party forensic investigation of the incident was conducted by Collisionless Global Technology Services Inc. (a Chainalysis-vetted blockchain investigative firm). Their report is published in full on the company's GitHub transparency repository.

• Collisionless Cryptocurrency Investigation Report — December 16, 2025 (PDF)
• Public Security Advisory — Malware-Based Compromise (Dec 11, 2025)

The Public Security Advisory contains the technical indicators of compromise (file hashes for the malware sample, observed domains, IP and URL patterns, user-agent fingerprints) for use by threat-intelligence researchers, exchange compliance teams, and security firms.

In the hours, weeks, and months following the 6 AM message documented in Section 8, the company executed a structured response across four workstreams: criminal reporting to law enforcement, third-party forensic investigation, public security disclosure, and open-market buyback of the stolen supply.

Criminal reports filed. On December 23, 2025, the company filed a formal cybercrime report with the Dubai Police Cyber Crime Unit. Case reference: 225004194871. The filing included a detailed witness statement, the on-chain transaction record, the consolidation wallet address, an upstream funding wallet identified as the primary KYC target, the malware-distribution domain registrar and infrastructure trail, and formal requests for KYC disclosure and account-log preservation from named centralized exchanges with relevant on-chain exposure to the upstream wallet.

A parallel report was also filed with the Canadian Anti-Fraud Centre under reference 2025-9763-2352-2, focused on the Canadian nexus established by the malware's code-signing certificate (issued to a real-world Canadian-registered entity used either with consent or through compromise to sign the malicious installer and bypass operating-system trust warnings). The Canadian filing was made for jurisdictional completeness; the primary investigative channel is the Dubai Police case.

Both filings remain open.

Forensic investigation completed. The company engaged Collisionless Global Technology Services Inc., a Chainalysis-vetted blockchain investigative firm, to conduct a third-party forensic investigation of the incident. The investigation traced the on-chain flow of stolen assets, identified the consolidation wallet as the destination, mapped the dust-funding pattern used to gas-starve the attacker's operational wallets, and identified an upstream funding wallet with material historical exposure to centralized exchanges including Binance and Gate.io.

Upstream funding wallet:
0xa10DaEE56eB92bEA16d4011D2A2e21727BC8a616

The resulting report — Collisionless Cryptocurrency Investigation Report, December 16, 2025 — is published in full on the company's GitHub transparency repository.

• Collisionless Cryptocurrency Investigation Report — December 16, 2025 (PDF)

Public Security Advisory published. A Green-tier public security advisory was published on the company's GitHub transparency repository within days of the incident. The advisory was scoped to provide actionable threat-intelligence information without compromising the active criminal investigations: file hashes for the malware sample (MD5, SHA-1, SHA-256), the observed distribution domain (alliai.us), associated sandbox network artifacts, the attacker's command-and-control IP and URL pattern, the malware's user-agent fingerprint, and the consolidation wallet address. Sensitive investigative material — the upstream KYC trails, the specific identifying details from the code-signing certificate, the law-enforcement preservation requests — was deliberately withheld from the public advisory and preserved for the active investigations.

• Public Security Advisory — Malware-Based Compromise (Dec 11, 2025)

Buyback execution. With criminal investigations active, the forensic record published, and the public security advisory in place, the company turned to the recovery of the dumped supply.

One framing matters here: the company never sold ZARO to anyone. The launch sequence documented in Sections 3 and 4 was a clean issuance — liquidity seeded by the company, the contract renounced, the pool open to any buyer at the same price. Every ZARO transaction that occurred on Uniswap between June 30, 2025 and December 11, 2025 was between two third-party users of the pool. The company itself was not a seller, was not a counterparty, and was not contractually obligated to any holder in any way.

What this means is that the company did not owe any holder a buyback. There was no refund to issue. There was no investor relationship to repair. The legal disclosures published on this site since the project's first day have stated explicitly that ZARO is a digital collectible with no intrinsic value, that the company makes no financial claims, and that holders interact with the token at their own risk.

The company offered a buyback anyway.

The buyback ran across two parallel paths with different settlement mechanics.

Path 1 — Direct OTC buyback from individual holders. The 6 AM message offer (documented in Section 8) was honored to every participant who registered through the form during the response window. Each transaction was settled over-the-counter: the holder transferred their ZARO to the founder's wallet, and the founder paid the holder in cash. Personal letters were sent by the founder to people known to have purchased ZARO before December 11; the same OTC settlement terms applied to all.

The buyback price was indexed in US dollars, not in ETH. This is a meaningful distinction.

Many early ZARO buyers had purchased their tokens between August and October 2025, when Ethereum traded at or near its all-time high. ETH peaked at approximately $4,829 in late August 2025 (per CoinGecko) and held above $4,000 for substantial portions of August and September 2025. Some buyers had specifically transacted in that high-price window. By the buyback period in early 2026, Ethereum had declined materially — trading in the $1,800 to $2,500 range during the open-market buyback window in early-to-mid February.

The company chose to pay back each buyer's original USD purchase price. A buyer who had originally spent the dollar equivalent of $1,000 in ETH received $1,000 in cash, regardless of what the same number of ETH was worth at the time of the buyback. The buyer was made whole in the reference currency they had originally measured their purchase in. The company absorbed the difference between the two ETH price regimes.

Some buyers had ZARO entry prices twenty times higher than the market price the morning after the December 11 crash. Those buyers were paid back at their original USD purchase price as well. Every registered participant received the same offer terms applied consistently.

Path 2 — Open-market buyback through Uniswap. In parallel with the Path 1 OTC settlements, the company executed an open-market buyback of the dumped supply that was still in circulation. Path 2 purchases were on-chain transactions through the Uniswap pool at prevailing market price — the same pool, the same price, and the same access that any other buyer had at any point in time. Path 2 began on February 2, 2026, with the largest buyback transactions occurring on February 12, 13, and 14, 2026. The volume of these purchases is independently verifiable on third-party chart data services.

• Verify Path 2 buyback activity on DexScreener

One additional fact about the buyback's cost basis is worth recording here.

The supply that was stolen — the company treasury — had been minted at the launch as part of the fixed total supply and was held by the company for free distribution: community airdrops, holder rewards, ecosystem grants, and the published 5% philanthropy disbursements documented in Section 6. The company's acquisition cost for that supply was zero. It was minted to be given.

The buyback paid real capital — through Path 1 OTC settlements at original buyer USD prices, and through Path 2 open-market purchases — to repurchase supply that had originally been earmarked for free distribution. The buyback was funded by the founder personally. ZaroVerse Ltd does not generate operational revenue from the token; the founder has funded the company throughout.

ZARO is a limited-supply digital collectible. The total supply is mathematically fixed at 1,000,000,000 tokens by a renounced contract that cannot mint additional tokens, cannot be modified, and cannot be paused or restricted. The buyback acquired supply that exists within that fixed cap. Every ZARO token that will ever exist already exists.

The recovered supply was consolidated into the company's post-incident treasury structure, documented in Section 10 below.

Hardware wallet custody. All recovered tokens, the founder's original OTC holdings, and the bridged supply that was defensively withdrawn from BNB Chain and Solana liquidity pools are now held in hardware wallet cold storage. The hardware wallets are isolated from the credential pathways that were compromised on December 11. The cloud-stored backup-credential pattern that enabled the original breach has been eliminated; no operational wallet credentials exist on any cloud-linked service.

The structural defenses that held during the December 11 incident — the renounced contract, the 255-year LP lock, the bridge backing on Ethereum, the deliberately gas-starved multi-wallet treasury structure — continue to operate as designed. The single defensive gap that the December 11 incident exposed — credential pathways accessible through a compromised browser session — has been closed.

The pre-incident treasury documented in Section 6 was minted as part of the fixed supply at launch — held at zero acquisition cost by the company, earmarked for free distribution to the community. The founder's OTC position documented in Section 4 was purchased at the public launch price in July 2025 and held in cold-adjacent custody.

Both positions — the company treasury and the founder's OTC supply — were drained in the December 11, 2025 incident. Both were dumped through the Uniswap pool by the attacker. Both were bought back during the response period documented in Section 9.

The supply was paid for twice.

What this means for the current structure of ZARO.

Total supply remains permanently fixed at 1,000,000,000 ZARO by the renounced contract. The current distribution of that supply across positions:

• 30% — Permanently locked in the Uniswap V2 pool. 300,000,000 ZARO paired against the original 6 ETH liquidity, with the LP tokens locked at UNCX for 255 years. This position is unchanged from launch and is structurally untouchable. No party — including the founder, the company, or any third party — can withdraw the LP, modify the lock duration, or recover the underlying ZARO and ETH from the pool. (Lock receipt and contract details in Section 3.)
• The remaining 70% — Bought back through Path 1 OTC settlements and Path 2 open-market purchases. This includes both the supply originally held in the company treasury (505,000,000 ZARO, free-distributed at launch) and the founder's original OTC position (195,000,000 ZARO, purchased at the public launch price in July 2025). All of this supply was stolen on December 11 and acquired again through the buyback paths documented in Section 9, at substantial personal cost to the founder.

The exact composition of the 70% — split between the company's post-incident treasury wallets, the founder's repurchased position, and individual third-party holders who did not sell — is independently verifiable on Etherscan and on third-party holder-distribution tools.

The load-bearing fact.

Outside the 30% that has been mathematically untouchable since launch, every single ZARO token currently held by the company or by the founder was paid for through capital deployed at market or original-buyer prices. The company's treasury was bought back. The founder's OTC position was bought back. There is no "minted-to-be-given" supply remaining in any company or founder wallet today. Whatever exists in those wallets is supply that has been purchased — once at launch in the founder's case, then again during the recovery in both cases.

The buyback was funded by the founder personally. ZaroVerse Ltd does not generate operational revenue from the token. The capital deployed in the buyback was the founder's, not the company's.

The phrase that most concisely captures the current state: the entire non-locked supply of ZARO has been paid for, in some cases twice.

About the framing that surfaced during the December 11 price action.

During the forty-five-minute drain window and in the hours and days that followed, some observers on social media platforms described the price collapse as a coordinated exit by the project — a "rug pull" in industry parlance — and stated publicly that ZARO would not recover. Those statements were made in good faith based on the visible chart action; from the outside, a 90%+ price drop with no immediate explanation looks exactly like the coordinated exit pattern those observers had seen before in other projects.

The structural facts now in the public record contradict that framing. The drain was a unilateral theft by a third party, not a coordinated exit by the project (forensic backing in Section 7 and Section 9). The contract was renounced before the incident and remains renounced today; no party can modify it. The LP was locked for 255 years before the incident and remains locked today; no party can withdraw it. The supply that was stolen was bought back with founder capital and now sits in hardware wallet custody. The price recovered. The buyback transactions are independently verifiable on DexScreener.

Anyone who read those early posts and concluded the project was over is invited to read this page and verify the receipts.

The purpose of the post-incident treasury.

The structure has changed; the purpose has not.

The treasury that exists today is held for the same reasons the original treasury was held: community distribution, ecosystem grants to creators producing work within the ZaroVerse, holder-recognition rewards, philanthropy disbursements under the company's 5% pledge, and other distribution mechanisms in service of building the universe's audience. The pledge is continuing. The intent is intact. What was lost was the capacity to distribute; what was rebuilt is exactly that capacity, at substantial personal cost to the founder.

No portion of the post-incident company treasury is held to be sold by the company. The structural posture remains: the company does not sell ZARO; the company gives it, holds it, and uses it as a cultural artifact within the universe being built.

Verifiability.

The treasury wallet addresses and the founder's repurchased position are publicly identifiable on Etherscan. On-chain balances at any point in time are visible to any researcher with a browser. The company does not need to attest to a number that anyone can verify. The post-incident treasury and the founder's repurchased position, like every other on-chain position documented on this page, are transparent by construction.

In July 2025, during the active CoinMarketCap listing workflow following the June 30 token launch, the company encountered a sophisticated phishing attack targeting projects in the listing verification pipeline. The attack used display-name spoofing combined with an IDN (Internationalized Domain Name) homograph substitution and active reconnaissance of the project's public communications.

The vector. CoinMarketCap requires applicant projects to publicly verify ownership of their channels during the listing process — typically by posting a confirmation message from the project's official X account. The attackers monitored crypto X for these verification posts and used them as triggers to intercept the listing workflow before CoinMarketCap's legitimate reply could arrive.

On July 8, 2025, the company posted the required X verification message for the ZARO listing application. Shortly afterward, an email arrived from what appeared to be support@coinmarketcap.zendesk.com, with the subject line "Your request (####) has been updated to CMCP status." The email had valid TLS encryption, appeared in Gmail without security warnings, and read as a routine workflow update from CoinMarketCap's support system.

The technical deception. The email used a layered attack. The visible "From" display string read support@coinmarketcap.zendesk.com — using the real Latin letters that Gmail surfaces prominently in the header. But the actual sending address, shown only in the angle-bracketed envelope field that most users never inspect closely, was <support@coinmarketcap.zendesĸ.com> — with the Cyrillic character "ĸ" (kra, Unicode U+0138) substituted for the final Latin "k" in "zendesk."

The two strings are visually nearly identical at normal reading size:

• Legitimate: zendesk.com
• Malicious: zendesĸ.com

The "s" is preserved in both. Only the final character differs. In most fonts and most email clients, the Latin "k" and the Cyrillic "ĸ" render almost indistinguishably.

The Punycode representation of the malicious domain was xn--zendes-8bb.com, which the attackers had registered, configured with valid TLS, and signed with a corresponding TLS certificate (visible in the email's signed-by field as coinmarketcap.xn--zendes-8bb.com). The combination of display-name spoofing (showing the real zendesk.com in the visible From line) and homograph substitution in the actual envelope address (using the Cyrillic kra in the bracketed reply-to) bypassed both visual inspection and standard email security checks.

The result. Because the spoofed email arrived in the workflow window immediately following the genuine X verification post, the timing matched what a legitimate CoinMarketCap reply would look like. The company paid the requested processing fee — approximately $5,000 USD — through the channel specified in the email. The scam was identified shortly afterward when the legitimate CoinMarketCap support team responded through the actual zendesk.com domain with the real listing workflow.

The legitimate listing was subsequently completed through CoinMarketCap's official channels, with the listing fee paid a second time through the proper process. The ZARO listing on CoinMarketCap is now live at coinmarketcap.com/currencies/zaro-coin.

What was unaffected. The scam was an off-chain operational-capital loss. It did not affect any on-chain position, the ZARO contract, the LP, or any structural component of the project. The funds lost were operational capital from the company treasury — the same operational capital documented in Section 4 as having funded early-stage company setup costs. The token's architecture was never touched.

Reporting and disposition. The malicious domain was reported to the relevant registrars and platform abuse teams. The site was taken down. No further enforcement action was pursued by authorities, and the operators of the attack have not been publicly identified or charged. This is a common disposition for small-dollar phishing operations involving multi-jurisdictional actors; the typical outcome is domain takedown without further enforcement, and operators frequently reconstitute under new domains.

The pattern is documented here for two reasons. First, as completeness in the project's operational record. Second, as threat-intelligence value for other projects in the listing pipeline: the X-verification-post → spoofed-CMC-reply attack window is a real operational vulnerability, and any project posting a verification message on a public timeline should expect the same window to be monitored.

The chronology above documents the project's first year. This section documents where things stand at the time of this writing.

On-chain structure. The ZARO contract at 0xc311FD6DA9686507F33991543d8158EF5FaDd5E7 remains renounced and mathematically immutable. No party — including the founder, the company, or any third party — can modify the contract, mint additional tokens, pause transfers, blacklist wallets, or alter any contract parameter. The 30% liquidity position remains locked at UNCX for 255 years. Total supply remains permanently fixed at 1,000,000,000 ZARO across all chains combined. The bridged contracts on BNB Chain (0xa9D72F6C1490647DF20E8Fad3C136cA6AC42c2fc) and Solana (AbzXS6NfGvCtg5B1rqZ1JSfoDHkwTAeEYJkWkHhCe38W) remain 1:1 backed by the canonical ZARO supply locked on Ethereum.

Treasury. The post-incident treasury structure documented in Section 10 is the current state. Every ZARO token held by the company or by the founder outside the permanently locked 30% LP has been paid for through capital deployed at market or original-buyer prices. The entirety of the non-locked supply held in company or founder positions was acquired through the Path 1 OTC settlements and Path 2 open-market purchases that followed the December 11 incident. All recovered tokens are held in hardware wallet cold storage.

Corporate structure. ZaroVerse Ltd remains active in the British Virgin Islands under Company Number 2183451. The UAE and Jordan operational subsidiaries documented in Section 2 remain active. The corporate purpose of the company — to build, own, and operate a transmedia entertainment universe — is unchanged.

Legal and intellectual property. The published BVI legal opinion analyzing ZARO's classification under six international regulatory frameworks remains valid; no change in classification or jurisdictional posture has occurred since publication. Ten USPTO trademark applications filed in connection with the project remain pending, with prosecution proceeding through the normal Patent and Trademark Office workflow. The on-chain components of the project (the contract, the LP lock, the bridge backing) are not regulated as financial instruments under any of the six frameworks the BVI opinion analyzed.

The universe being built. The studio side of the project — the cosmic saga that opens with The Yellow Spark, the lore, the planned animation and games, the merchandise, the podcast, the planned physical destinations — is in active development. The studio website operates at zaroverse.com as a separate surface from this one. Book 1 — The Yellow Spark — is in the production pipeline, with additional chapters and adjacent media to follow as the universe is built out over the coming years.

Transparency. The full transparency repository remains published and continues to be updated at github.com/zarocoin/zarocoin. The forensic report, the security advisory, the legal opinion, the whitepaper, the founder messages, and the contract source code are all accessible to anyone with a browser. The repository's update history is itself verifiable.

The project is operating. The contract is intact. The recovery is complete. The universe continues to be built.

Everything documented above is the record of one company building one project across approximately eleven months — from incorporation to the present. Read in order, the chronology is: a clean issuance, a fair on-chain purchase by the founder, a multi-chain deployment, a community-distribution treasury, a sophisticated phishing scam thirty days after mint, a malware-based theft five months later, a structured response, a personal buyback funded by the founder twice over, a recovery, and a present state with the contract still immutable and the LP still locked.

The record is one language. The universe being built is another. They tell the same story.

The Seed Core.

Inside the ZaroVerse fictional universe, the Seed Core is the object that arrives on Earth at the start of Book 1 — a small, smooth, layered stone with concentric internal banding, yellow at the core and cyan at the edges, planted in the soil where the protagonist's container crashed. The Seed Core is not a tool or a weapon or a battery. It is a foundation. It cannot be modified, destroyed, or controlled by any party in the universe. Whatever grows above it — the tree, the fruit, the protective dome, the protagonist's recovery — grows from the Seed Core's permanence. The Seed Core is the universe's structural constant.

In the chronology above, the Seed Core is the renounced contract. (See Section 3.)

The ZARO contract at 0xc311FD6DA9686507F33991543d8158EF5FaDd5E7 was renounced on June 30, 2025. The ownership of the contract was transferred to the zero address. From that moment forward, no party — including the founder, the company, or any third party — could modify the contract, mint additional tokens, pause transfers, blacklist wallets, or alter any contract parameter. The contract became mathematically immutable. Whatever happens to ZARO from this point on, whatever fruit grows from the foundation, the foundation itself cannot be touched.

The Seed Core in the lore and the renounced contract in the chronology are the same object told in two languages.

The fruit.

Within the universe, the Seed Core grows a tree, and the tree bears fruit. The fruit is the visible, navigable, tradable expression of the Seed Core's permanence. In the lore, the fruit has life stages: birth, growth, maturity, and — when the cosmic fungus comes — burning. In Chapter 5 of The Yellow Spark, the fruit on the tree is scorched. The fruit does not scatter or fall. It stays attached to the tree, blackened, cracked open, with molten heat visible through the fissures. The branch beside it has gone dead. This is the imagery the canon assigns to the moment the protagonist looks at everything he has been building and watches it nearly end.

In the chronology above, the fruit is the ZARO Coin token. (See Section 6, Section 7, and Section 9.)

The token went through visible life stages between June 30, 2025 and the present:

• Birth and growth (June 30 – November 2025) — the launch and early circulation, the supply distributed across the locked LP, the founder's OTC position, and the community-distribution treasury.
• Maturity (peak before December 11) — the project at full vitality, the universe's fictional and structural infrastructure in place, market capitalization above one million dollars, the trading volume stable.
• Burning (December 11, 2025, approximately 14:56–15:41 UTC) — the malware-based theft, the dump on Uniswap, the chart in flames. The fruit blackened. The branch beside it dead.
• Recovery (December 2025 – February 2026) — the buyback, the supply paid for twice, the structural defenses holding, the price stabilizing, the golden light fighting back through the burnt crust.
• What comes next — the universe being built continues. The fruit will change because the experience changed it. The branch regrows leaves on the other side.

Chapter 5 of Book 1 was lived first, then written. The film strip of the fruit's life stages, rendered as universe artwork, is the chronology above told in a different language. Both are the same record.

The cosmic fungus is real.

The ZaroVerse fictional universe features a recurring threat called the cosmic fungus — the Ink. The fungus is parasitic, intelligent, and hunts beings of yellow light specifically. It moves hidden inside beautiful objects. It exploits the act of welcome. It moves through systems that were built to be open. It is, in the canon of the universe, the central antagonist.

The fungus was not invented as a fictional concept and then applied to the founder's experience. The reverse is what happened. Thirty days after mint, while the project was up and the structural infrastructure was being built out in good faith, the project was attacked by a sophisticated phishing operation that was actively monitoring the founder's public communications. Five months later, the project was attacked again — this time by a targeted malware campaign delivered through a promoted advertisement on X that was geographically profiled to the founder's physical location, with the attack vector packaged inside what looked like a beautiful AI tool. The thing that nearly took the project came through a door the founder opened himself, presented as something he should welcome.

The fungus in the lore is the experience of being hunted by an environment that hunts. It is parasitic, intelligent, and follows beings who build openly.

The beacon is also real.

The Yellow Spark names its protagonist after the color of the light he carries. Zaro is a being of yellow light in a cosmos that is otherwise mostly dark. His function within the universe is not to defeat the fungus through combat. His function is to be a beacon — a light that other beings can navigate toward, that other lights can recognize, that the cosmic dark cannot fully extinguish even when it overwhelms the local field.

The structural choices documented in this record — the renounced contract, the 255-year LP lock, the founder buying at public price, the treasury minted for free distribution, the BVI legal opinion analyzing the token under six international regulatory frameworks, the ten USPTO trademark filings, the published forensic report, the public security advisory — are the choices of a project trying to be a beacon: visible, navigable, structurally legitimate, not extinguishable by any single attack vector.

When the December 11 attack came, the beacon function was tested directly. The contract held. The LP held. The bridge backing held. Only the operational treasury fell, to a Trojan attack that came through the founder's own machine. The structural layers built to be unbreakable were, in fact, unbreakable. The light continued.

The founder's choice.

The choice to decline the protective anonymity, to be named, to build through institutional infrastructure rather than around it, and to publish this complete record is itself a structural fact about the project. It is documented here for the same reason every other structural fact is documented: anyone evaluating the project deserves to know.

The studio side and the child it is built to protect.

The token side of this project is where the attacks land. The contract address is public, the wallets are public, the founder is public — and the visibility that makes the project trustworthy is the same visibility that makes it targetable. December 11 was the proof of that.

The studio side of the project is what the structural defenses are protecting. The studio side is the cosmic saga that opens with The Yellow Spark. It is the universe being built — the lore, the characters, the planned animation and games, the merchandise, the podcast, the future physical destinations. It is the work that will continue long after any single attack has been weathered. The studio side is, in the founder's framing, the innocent child of this project — the thing that needs protection precisely because it is what the protection is for.

The token does what tokens do. It documents the project on-chain, attracts attention, attracts attacks, and gets defended. The universe is what the project is building. The fruit grows so that the tree can be known; the tree grows so that the universe can have a record that everything traces back to. Both are necessary. Both are real. They are not separate projects; they are two faces of the same one.

NOT OVER.

Within The Yellow Spark, NOT OVER is the protagonist's mark — the symbol Zaro carves into surfaces when something he was building has nearly ended but he is choosing to continue. It appears as a story-world motif throughout the canon.

It is also the founder's actual operating posture.

The phishing scam thirty days after mint did not end the project. The malware-based theft on December 11 did not end the project. The public framing of the price collapse as a rug pull did not end the project. The defensively-withdrawn liquidity pools on BNB Chain and Solana did not end the project. The personal financial cost of buying back the entire non-locked supply, in some cases at twenty times the post-crash market price and during an Ethereum bear market, did not end the project.

The protective advice to disappear and rebuild anonymously did not end the project either. The founder declined to take it.

Continuation is this project's response to the environment it is being built inside. The contract remains immutable. The LP remains locked. The treasury has been rebuilt with founder capital. The universe is being written. The Yellow Spark, Book 1, opens with the founder's autobiography of the project's first year — and continues into the cosmic saga that survival has earned the right to build.

The four mirrors.

Reading the chronology and the canon side by side, the autobiographical structure is precise:

• The burning chart on December 11 became the burning tree in Chapter 5.
• The malware delivered through a beautiful AI tool became the Trojan crystal hiding the Ink inside a beautiful object.
• The buyback funded by the founder personally, supply paid for twice, became the carving — the symbol the protagonist inscribes when something has nearly ended and he is choosing to continue.
• The present state of the project — Seed Core intact, fruit recovering, branch regrowing leaves, the next stage of the universe in motion — became the recovery sequence of the canon's chapter five resolution.

The story was not written first. The events were lived first. The canon is the record of what survival looked like in this industry, rendered into the language of a cosmic universe because the experience of building openly in this environment was, in scale and intensity, cosmic.

The record above is the chronology. The universe being built is the canon. They are the same record told in two languages. Anyone who reads both will find the same project.

This is the first year. The Seed Core is planted. The tree continues to grow.

NOT OVER.