Hacker falls victim to phishing scam after exploiting ZkLend for millions

ZkLend hacker admits to using fake Tornado Cash platform, inadvertently compounding fund recovery efforts.

Cover art/illustration via CryptoSlate. Image includes combined content which may include AI-generated content.

ZkLend, a decentralized lending protocol built on Starknet, has confirmed that the hacker responsible for its February exploit lost a significant portion of the stolen funds to a phishing scam.

In an April 1 post on X, ZkLend revealed that the attacker tried to launder 2,930 ETH, worth around $5.4 million, through crypto mixer Tornado Cash.

However, instead of using the legitimate platform, the hacker mistakenly interacted with a malicious phishing site: tornadoeth[.]cash. As a result, another party successfully drained the ETH.

Blockchain analytics firm Lookonchain corroborated ZkLend’s findings, confirming the loss of 2,930 ETH due to the phishing incident.

Interestingly, the hacker later sent an on-chain message to ZkLend’s deployer address, admitting the blunder. In the message, the attacker wrote:

“I tried to move funds to Tornado but used a phishing website. All the funds have been lost. I’m devastated and sorry for the havoc and losses caused. I don’t have the coins anymore.”

The hacker urged ZkLend to pursue the phishing site operators instead.

‘No connection’

This unexpected turn has fueled speculation that the original hacker and the phishing scammers might be connected, though no proof has surfaced to support that theory.

Meanwhile, ZkLend stated that the phishing website appears to have been active for over five years. The project furthered that no concrete evidence links the phishing operators to the original hacker.

Nonetheless, wallet addresses tied to the phishing site have been added to ongoing fund-tracing efforts.

The team also noted increased activity from wallets associated with the hacker. Security experts, centralized exchanges (CEXs), and relevant authorities were monitoring these movements in real-time.

ZkLend was exploited in February, with blockchain security firm Cyvers estimating the loss at approximately $9.5 million.

The protocol offered the attacker a 10% bounty if they returned the rest. However, the hacker ignored the proposal and kept the funds, prompting ZkLend to partner with security teams from Starknet, StarkWare, and Binance in a broader fund recovery effort.