The hacker behind the $9.6 million exploit of Starknet-based lending platform zkLend has now lost the entire stolen stash of 2,930 ETH to a phishing scam.
In a surprising twist, the attacker unknowingly deposited the funds into a fake version of Tornado Cash—a popular crypto mixer—while attempting to launder them.
This latest turn highlights a growing trend where even sophisticated cybercriminals are falling prey to scams within the same ecosystem they exploit.
The loss was confirmed by De.Fi Antivirus Web3, a Consensys-backed cybersecurity project, which reported the incident on X on 31 March.
Blockchain data supports the claim, showing a clear outflow of funds to the fake site, followed by a message sent by the hacker to zkLend’s deployer address in a bid for damage control.
Attacker contacts zkLend
On-chain evidence shows the hacker attempted to obfuscate the stolen funds by using what they thought was Tornado Cash. However, the mixer site was a spoof.
The funds were instantly drained upon deposit.
Soon after realising the blunder, the attacker sent a message on-chain to zkLend, admitting the mistake.
In the message, the hacker acknowledged using a phishing site and losing everything.
They expressed regret, and encouraged zkLend to focus on tracking down the phishing scam operators instead of themselves.
🚨BREAKING: ZKLEND HACKER GOT REKT🚨
2,930 $ETH maliciously grabbed in the zkLend hack were mistakenly deposited to a copycat website of Tornado Cash
In the end, the hacker addresses the case to the zkLend deployer as they no longer have stolen assets
25
Reply
Copy link
This was not the attacker’s first communication with the protocol.
Following the 12 February exploit, zkLend had attempted to negotiate by offering a 10% bounty if the hacker returned the remaining funds by 14 February.
That deadline passed without a response, prompting zkLend to involve law enforcement and cybersecurity experts from Starknet Foundation, StarkWare, and Binance Security.
Among top Q1 2025 crypto hacks
The zkLend breach was one of the largest of the year so far.
According to Immunefi’s Q1 2025 report, the first three months of 2025 marked the worst quarter in crypto security history.
A total of $1.64 billion was stolen across various platforms. Of that, decentralised finance (DeFi) protocols accounted for $106.8 million across 38 incidents.
Ethereum and BNB Chain were the top two targets. Centralised platforms, although hit only twice, accounted for the vast majority of losses, with $1.5 billion stolen.
The zkLend exploit alone saw 2,930 ETH siphoned off in a targeted smart contract attack.
The loss of this ETH—currently valued at around $9.6 million—makes the phishing blunder a significant moment in crypto theft history, as it not only erased the stolen funds but also highlighted vulnerabilities from both attackers and victims in the DeFi ecosystem.
Fake mixers a rising threat
The attacker’s failed laundering attempt sheds light on a newer layer of risk: fake versions of legitimate crypto tools.
Tornado Cash, a well-known crypto mixing service used for privacy, has been targeted repeatedly by phishing scams.
As security protocols ramp up to recover hacked assets, phishing sites are now capturing stolen funds before they can even be laundered.
This trend raises broader concerns about the ecosystem’s security.
Even experienced hackers using advanced methods are being deceived by convincingly spoofed tools.
It also complicates efforts for law enforcement and recovery experts, as the destination addresses of phishing sites often vanish without a trace or are controlled by unknown operators.
With losses mounting, industry analysts are urging DeFi protocols and crypto users alike to improve operational security.
Meanwhile, the zkLend case adds to the mounting list of cautionary tales emerging from an already record-breaking quarter for crypto exploits.
The post ZkLend exploit backfires as hacker loses $9.6 million in ETH to phishing scam appeared first on Invezz
