TLDR
- zkLend hacker lost 2,930 ETH (worth $5.4 million) to a Tornado Cash phishing site
- Original exploit in February 2024 netted the attacker $9.6 million
- Hacker sent funds to fake Tornado Cash site in 100 ETH increments
- zkLend had previously offered the hacker a 10% bounty to return funds
- This is part of a trend of crypto hacks, with Q1 2025 seeing $1.64 billion stolen
The Phishing Trap
The hacker who stole $9.6 million from decentralized lending protocol zkLend in February has fallen victim to a phishing scam. According to on-chain messages sent on March 31, the attacker lost 2,930 ETH (about $5.4 million) to a website posing as Tornado Cash.
“I tried to move funds to a Tornado, but I used a phishing website, and all the funds have been lost. I am devastated,” the hacker wrote in a message through Etherscan.
The message came after the attacker sent multiple transactions of 100 ETH each to an address labeled “Tornado.Cash: Router.”
The scam was completed when the hacker made three final deposits of 10 ETH. By this point, all the transferred funds were already lost to the fake mixing service.
Another user had tried to warn the hacker about the mistake. “Don’t celebrate,” the user wrote, pointing out that the funds were sent to a scam URL.
“It is so devastating. Everything gone with one wrong website,” the hacker replied in another on-chain message. The attacker seemed unaware of their error until it was too late.
The Original Exploit
The zkLend protocol was first attacked on February 11, 2025. The hacker used what’s known as an “empty market exploit” to steal funds from the lending platform.
According to zkLend’s post-mortem report from February 14, the attacker started with a small deposit. They then used flash loans to inflate the lending accumulator.
After this setup, the hacker repeatedly deposited and withdrew funds. This method took advantage of rounding errors that became larger due to the inflated accumulator.
The stolen funds were then moved to the Ethereum blockchain. The attacker later tried to launder the money through Railgun but failed when protocol policies returned the funds to the original address.
In total, the hacker managed to steal about $9.6 million worth of cryptocurrency. This made it the fifth-largest exploit in the first quarter of 2025, according to Immunefi.
Failed Negotiations
Following the February exploit, zkLend offered the hacker a deal. They could keep 10% of the stolen funds as a bounty if they returned the rest by February 14.
The protocol also promised to release the hacker from legal trouble. There would be no pursuit by law enforcement if the remaining ETH was returned.
However, the deadline passed without any public response from the hacker. Neither party acknowledged the offer before it expired.
On February 19, zkLend changed its approach. The protocol announced on X that it was now offering a $500,000 bounty for information leading to the hacker’s arrest and the recovery of funds.
zkLend also said it had enlisted help from security experts. Teams from the Starknet Foundation, StarkWare, and Binance Security were working to locate and recover the stolen funds.
Now that the hacker has lost most of the ETH to a phishing scam, the situation has taken an unexpected turn. The hacker asked zkLend to “redirect your efforts towards those site owners to see if you can recover some of the money.”
zkLend responded by asking the hacker to “Return all the funds left in your wallets” to the zkLend wallet address. On-chain data shows that another 25 ETH was then sent to a wallet listed as Chainflip1.
The zkLend incident is part of a larger trend of cryptocurrency thefts. According to blockchain security firm CertiK, losses to crypto scams, exploits, and hacks totaled over $33 million in March 2025.
However, this figure dropped to $28 million after decentralized exchange aggregator 1inch successfully recovered its stolen funds. February was much worse, with nearly $1.53 billion lost to attacks.
The largest single attack was the $1.4 billion hack of Bybit on February 21. This attack, attributed to North Korea’s Lazarus Group, now holds the record for the biggest crypto hack ever.
It doubled the previous record set by the $650 million Ronin bridge hack in March 2022. The zkLend exploit, while much smaller, shows that even hackers can become victims in the crypto world.
According to Immunefi’s Q1 2025 report, the first three months of the year saw the worst quarter for crypto security breaches in history. Hackers stole a total of $1.64 billion during this period.
Decentralized finance protocols lost $106.8 million across 38 separate incidents. Ethereum and BNB Chain were the most targeted networks for these attacks.
While DeFi platforms suffered numerous smaller attacks, centralized finance platforms saw just two incidents. However, these two attacks resulted in much larger losses, totaling $1.5 billion.
This pattern of attacks and counter-attacks highlights the complex security landscape in cryptocurrency. Even successful hackers must be careful with their stolen funds, as they can easily become targets themselves.
Stay Ahead of the Market with Benzinga Pro!
Want to trade like a pro? Benzinga Pro gives you the edge you need in today's fast-paced markets. Get real-time news, exclusive insights, and powerful tools trusted by professional traders:
- Breaking market-moving stories before they hit mainstream media
- Live audio squawk for hands-free market updates
- Advanced stock scanner to spot promising trades
- Expert trade ideas and on-demand support
