In partnership with

TL;DR

The zkLend hacker, responsible for a $9.6 million exploit, claimed to have lost 2,930 ETH to a phishing site mimicking Tornado Cash. zkLend urged the return of remaining funds, later offering a $500,000 bounty for information. Crypto scams and hacks totaled $33 million in March, highlighting ongoing security risks.

Sponsor of the Week

Don't miss crypto's most influential event

Consensus is the world’s longest-running gathering of the global crypto, blockchain, and AI communities.

Curated by CoinDesk and celebrated as ‘The Super Bowl of Blockchain’, Consensus will host North America’s biggest industry-wide event in Toronto this May 14-16. This flagship festival will welcome 20,000 builders, investors, policymakers, and pioneers shaping the future of the decentralized digital economy.

Ready to invest in what’s next? Consensus is your best bet to unlock market-moving intel, make meaningful connections and get business done. You can’t afford to miss it.

Register & Save 20% with BEEHIIV

The hacker behind February’s $9.6 million exploit of zkLend now claims to be a victim themselves, losing a major portion of the stolen Ether to a Tornado Cash phishing scam.

In an on-chain message sent via Etherscan on March 31, the attacker expressed regret and frustration, stating that 2,930 ETH ($5.4 million) had been lost after mistakenly interacting with a fraudulent Tornado Cash website.

Transaction records show the hacker attempting to move funds in batches of 100 ETH, with the final three transfers reduced to 10 ETH each, only to realize too late that the destination wasn’t the real Tornado Cash.

“Hello, I tried to move funds to a Tornado, but I used a phishing website, and all the funds have been lost. I am devastated. I am terribly sorry for all the havoc and losses caused,” the hacker wrote.

The irony of a crypto thief falling for a scam wasn’t lost on blockchain watchers, sparking debates on whether this was a karmic twist or a calculated deception.

The hacker, seemingly realizing the gravity of their mistake, pleaded for zkLend to shift focus away from them.

“All the 2,930 ETH have been taken by that site’s owners. I do not have coins. Please redirect your efforts towards those site owners to see if you can recover some of the money,” they wrote.

In response, zkLend urged the attacker to return whatever funds remained in their wallets, providing an official address for repayment. Yet, instead of compliance, on-chain data from Etherscan showed another 25 ETH being transferred to a wallet labeled Chainflip1.

Adding to the irony, another blockchain user had attempted to warn the exploiter before they realized their blunder.

“Don’t celebrate,” they wrote, pointing out that the entire sum had been funneled into the fake Tornado Cash site.

“It is so devastating. Everything gone with one wrong website,” the hacker admitted, sealing an unexpected turn of events that left both victims and attacker at a loss.

The $9.6 Million zkLend Exploit: How It Happened

On Feb. 11, zkLend became the target of a sophisticated exploit that resulted in the loss of $9.6 million. The attacker executed an "empty market" exploit by first making a minimal deposit and then utilizing flash loans to artificially inflate the lending accumulator, significantly distorting the protocol’s internal balance calculations.

With this manipulated state, the hacker repeatedly deposited and withdrew funds, leveraging rounding errors that, under normal circumstances, would be negligible. However, due to the artificially inflated accumulator, these small discrepancies accumulated into a substantial extraction of funds.

After securing the stolen assets, the attacker transferred them to the Ethereum network. An attempt was made to launder the funds through Railgun, a privacy protocol, but zkLend’s security mechanisms prevented the transaction and returned the assets to the originating address.

In response, zkLend reached out to the exploiter with a proposal, offering 10% of the stolen funds as a white-hat bounty. The protocol also assured that if the remaining Ether was returned, the hacker would not face legal repercussions or law enforcement scrutiny.

The deadline for zkLend’s white-hat bounty offer expired on Feb. 14 without any public response from the hacker.

With no sign of cooperation, zkLend escalated its efforts. In a Feb. 19 update on X, the protocol announced a new strategy offering a $500,000 reward for any verifiable information leading to the attacker’s arrest and the recovery of stolen funds.

The zkLend exploit is just one of many incidents contributing to the growing losses from crypto-related scams and hacks. According to blockchain security firm CertiK, March alone saw over $33 million lost to exploits, though this figure later dropped to $28 million after decentralized exchange aggregator 1inch successfully reclaimed its stolen funds.

February was an even more devastating month for the crypto industry, with nearly $1.53 billion lost to hacks and scams. The majority of these losses stemmed from a single event—the massive $1.4 billion attack on Bybit, attributed to North Korea’s Lazarus Group. This exploit now holds the record as the largest crypto hack in history, surpassing the infamous $650 million Ronin bridge attack from March 2022.

The zkLend exploit highlights the persistent vulnerabilities within the crypto space, where hackers continue to exploit technical loopholes and poor security practices. Despite the attacker’s unexpected misfortune of losing funds to a phishing scam, zkLend remains determined to recover what’s left, ramping up efforts with a substantial bounty.

Meanwhile, the broader crypto landscape faces an alarming rise in attacks, with billions lost to exploits. As cybercriminals become more sophisticated, the industry must prioritize security, proactive threat detection, and collaboration to minimize risks.

The hunt for the zkLend hacker continues, serving as a stark reminder that in the world of decentralized finance, no stolen funds are ever truly safe.