In a surprising turn of events, the hacker responsible for exploiting the decentralized money-lending protocol zkLend for a staggering $9.6 million has reported a significant loss of their illicit gains to a phishing website masquerading as Tornado Cash. This incident not only highlights the vulnerabilities of cryptocurrency ecosystems but also serves as a vivid reminder of the constant threats lurking in the digital realm.
The individual behind the exploit communicated their urgency and regret in a message sent via Etherscan on March 31, revealing that they had lost 2,930 Ether (ETH) after being duped by a fraudulent site promising to facilitate transactions through Tornado Cash.
In multiple transfers on that day, the hacker sent chunks of 100 ETH to an address named Tornado.Cash: Router, finishing their efforts with three additional deposits of 10 ETH each. “Hello, I tried to move funds to a Tornado, but I used a phishing website, and all the funds have been lost. I am devastated. I am terribly sorry for all the havoc and losses caused,” the hacker expressed.
The hacker behind the zkLend exploit claims to have lost most of the funds to a phishing website posing as a front-end for Tornado Cash. Source: Etherscan
The discomfort of losing one’s own stolen funds was further echoed in their statement: “All the 2,930 Eth have been taken by that site owners. I do not have coins. Please redirect your efforts towards those site owners to see if you can recover some of the money,” they continued.
In response, zkLend reached out with a plea for the hacker to refund the remaining balance of their stolen wallet to the protocol’s designated address. However, within the same timeframe, another sum of 25 ETH found its way to a wallet labeled Chainflip1, leaving many to ponder the sincerity of the hacker’s regret.
Interestingly, another user promptly warned the hacker about their mistake, cautioning against premature celebrations since all funds had been dispatched to a scam URL. Despite all warnings, the hacker acknowledged their devastating error, reflecting on the risks associated with operating in the digital currency landscape.
Understanding the zkLend Exploit
To provide context, zkLend suffered an exploitation attack on February 11, during which an assailant leveraged a small deposit along with flash loans to inflate their lending accumulators. This allowed for the disproportionate accumulation of funds due to significant rounding errors exploiting the inflated systems.
Following the exploit, zkLend offered the hacker a chance to retain 10% of the funds as a bounty, coupled with a promise of immunity from legal repercussions if they returned the rest. However, the response from the hacker remained absent as deadlines passed.
According to blockchain security firm CertiK, the total losses to crypto scams and exploits reached over $28 million after accounting for a successful recovery of stolen assets from decentralized exchange aggregator 1inch. February alone recorded nearly $1.53 billion in losses from hacks, with an alarming majority traced back to a singular attack tied to North Korea’s Lazarus Group.
In conclusion, this peculiar scenario stands as a cautionary tale not only for hackers but for all participants in the cryptocurrency sphere: the digital world is rife with risks that can ensnare even the most seasoned individuals, and vigilance is paramount.
