TL;DR
- Phishing Fallout: The hacker lost all 2,930 ETH ($9.6M) by mistakenly depositing funds into a fake Tornado Cash site during a laundering attempt.
- Origin in Exploit: Following a smart contract flaw exploited on February 12, initial negotiations with zkLend failed, culminating in the irreversible loss via phishing.
- DeFi Security Alert: This incident highlights that even cybercriminals can fall victim to scams, emphasizing the urgent need for stronger security in DeFi protocols.
The hacker behind the zkLend exploit has lost all 2,930 ETH—worth approximately $9.6 million—to a phishing scam while attempting to launder the stolen funds. The attacker mistakenly deposited the assets into a fake Tornado Cash website, resulting in an immediate and irreversible loss.
The incident unfolded on March 31, when the hacker attempted to move the stolen Ethereum through Tornado Cash, a popular crypto mixing service. However, instead of using the legitimate platform, they unknowingly interacted with a fraudulent front-end designed to impersonate Tornado Cash.
The Hacker’s Desperate Plea
Realizing their mistake too late, the hacker sent an on-chain message to zkLend’s deployer address, admitting their blunder. They went on to apologize for the attack and urged zkLend to focus its recovery efforts on the phishing scam operators rather than pursuing them.
“I tried to move funds to Tornado, but I used a phishing website, and all the funds have been lost. I am devastated,“ the hacker wrote.
The zkLend Exploit and Failed Negotiations
The original zkLend hack occurred on February 12, when the attacker exploited a rounding error in the protocol’s smart contracts. By using flash loans and small deposits, they manipulated zkLend’s lending accumulator, siphoning off 2,930 ETH before being detected.
Following the exploit, zkLend attempted to negotiate with the hacker, offering a 10% bounty in exchange for the return of the remaining funds. When the hacker ignored the deadline, zkLend escalated the matter to law enforcement and enlisted security experts from Starknet Foundation, StarkWare, and Binance Security to track the stolen assets.
A Harsh Lesson in DeFi Security
This incident highlights the growing risks in DeFi, where even hackers can fall victim to scams. According to Immunefi’s Q1 2025 report, the first three months of the year saw $1.64 billion stolen in crypto security breaches, with the zkLend hack ranking among the top five exploits.
As DeFi continues to evolve, security remains a pressing concern—not just for legitimate users, but for cybercriminals as well. In this case, the hackers’ greed ultimately led to their downfall, proving that even in crypto, crime doesn’t always pay.
