In an ironic twist of fate, the hacker behind February’s $9.57 million exploit on zkLend has allegedly fallen victim to another scam. The suspected criminal claimed in an on-chain message that they lost 2,930 ETH, worth about $5.4 million, while attempting to launder the stolen funds through Tornado Cash.
The zkLend Hack
zkLend also confirmed the bizarre turn of events in a post on X, stating that the attacker had interacted with a known phishing website, tornadoeth[.]cash, as they attempted to cover their tracks from pursuers. The scam site is said to have been in operation for the last five years and immediately drained the thief’s entire balance of 2,930 ETH. In an on-chain message to zkLend, the attacker appeared crestfallen, stating:
“Hello, I tried to move funds to Tornado but I used a phishing website and all the funds have been lost. I am devastated. I am terribly sorry for all the havoc and losses caused. All the 2,930 ETH have been taken by that site’s owners… Please redirect your efforts towards those site owners to see if you can recover some of the money.”
The saga began in February, just a couple of days before Valentine’s, when the Starknet-based lending protocol was hacked for more than $9.5 million. The exploiter, identified only by the address 0x64…9109, reportedly capitalized on a decimal precision vulnerability in zkLend, manipulating rounding errors within its lending accumulator to artificially inflate its balance. This led to the theft of approximately 3,700 ETH and prompted the platform to temporarily pause withdrawals.
Following the theft, zkLend attempted to negotiate with the perpetrator, offering a white hat bounty of 10% of the stolen funds in exchange for the return of the remaining 3,300 ETH. However, the hacker remained unresponsive, moving the crypto assets through various channels, including a transfer of 706 ETH valued at $1.8 million sent through Railgun.
Legitimacy Concerns: A Staged Disappearance?
Not everyone has accepted the phishing story at face value. Many in the crypto community have raised doubts over the hacker’s claims, with speculation that the narrative may have been fabricated to feign a loss and thereby evade further scrutiny from blockchain investigators and law enforcement. Given that zkLend has been actively tracking the stolen funds and collaborating with on-chain security firms and law enforcement, some argue this could be a strategic move to make the illicit funds disappear.
Reactions on X quickly flooded in, with users highlighting the suspicious timing of the announcement. One notable comment from user @pvt.eth sarcastically noted, “Right about time for April Fool.” Others speculated on a potential connection between the hacker and the phishing scheme. @0xGekko echoed skepticism, stating:
“Meh, screams more like the hacker is trying to avoid any heat from a possible investigation.”
Despite the speculation, zkLend is treating the phishing loss as a legitimate incident, maintaining that there is currently no conclusive evidence linking the phishing website and the exploiter.
This unfolding drama serves as a potent reminder of the unpredictable and often precarious nature of the cryptocurrency landscape, where even those who operate on the fringes can succumb to the very vulnerabilities they seek to exploit. The post zkLend Hacker Loses $5.4M to Tornado Cash Scam appeared first on CryptoPotato.
