- A hacker who stole 2,930 ETH from zkLend lost all funds to a phishing scam.
- The hacker mistakenly used a fake Tornado Cash site, losing $5.4 million worth of ETH.
- Investigators suspect the hacker may be linked to the phishing site used in the scam.
The hacker who stole 2,930 ETH from zkLend has been ripped off in a phishing scam. While the hacker was trying to launder the stolen funds through Tornado Cash on March 31, 2025, the hacker used a fake version of the website, and the funds were gone. The entire amount, equivalent to about $5.4 million, was transferred to another scammer.
The hacker, who had exploited zkLend in February, left an on-chain message confessing the loss. Apologizing for the damage caused, they described the event as devastating. The hacker asked zkLend to keep an eye on the phishing site’s operators rather than continue pursuing them.
Attempt to Launder Funds Ends in Another Theft
The hacker’s activity was tracked on-chain. Blockchain investigators confirmed that the hacker attempted to move the stolen funds through Tornado Cash, a well-known cryptocurrency mixer. They sent several small test transactions of 10 ETH each, each one of which was successful, before trying to transfer the full amount. Before losing the funds, they were warned by another blockchain user not to visit the fake site, but ignored.
Through on-chain messages, zkLend had been in contact with the hacker. The hacker received a deal from the platform to keep 10% of the stolen funds if they return the rest. They never responded to the offer until it was too late, losing everything.
Investigators Suspect Hacker’s Story May Be False
The transactions are being analyzed by onchain investigators to determine if the hacker’s claim of being phished is real. Some suspect the hacker could have something to do with the phishing site and is trying to make the trail of stolen funds more difficult to track.
Investigators noticed that the hacker used an Ethereum vanity address linked to a previously identified scam. Tornadoeth.cash, the phishing site that they used, looked exactly the same as the real Tornado Cash domain but has been flagged for fraudulent activity. The fake site has been up for like five years, and so it is unlikely that someone sophisticated would mistake it for the real platform. The hacker’s final on-chain message claimed they had no funds left to return.
zkLend’s Response and the Growing Trend of Crypto Hacks
After the loss of funds, zkLend updated the bounty offer. Previously, the hacker was offered 10% of the stolen sum in exchange for returning the rest. zkLend then offered a $500,000 bounty for any information that could lead to the hacker’s arrest after the loss.
Crypto hacks and scams continue to pose major risks in the industry. By March 2025 alone more than $33 million of digital assets were stolen. However, this figure plummeted to $28 million following a recovery by 1inch. In February, the zkLend exploit was one of the latest attacks in the last few months. Using an empty market exploit, the hacker was able to leverage zkLend’s lending protocol using flash loans to steal millions. Investigators are still looking into possible links between the phishing site and the initial zkLend exploit.
