zkLend Hacker Claims Losing Stolen ETH to Tornado Cash Phishing Site

The hacker behind a $9.6 million exploit of the decentralized money-lending protocol zkLend in February has fallen victim to another phishing scam, this time resulting in the loss of a significant portion of the stolen funds.

According to onchain messages sent to zkLend through Etherscan on March 31, the hacker claimed to have lost 2,930 Ether (ETH) from the stolen funds to a phishing website posing as a front-end for Tornado Cash. The hacker expressed their devastation and regret over the loss, stating that they were "terribly sorry for all the havoc and losses caused."

The hacker's message revealed that they had sent $5.4 million in Ether to the fake version of Tornado Cash, with 100 Ether being transferred at a time to an address named Tornado.Cash: Router. The final three deposits were made of 10 Ether each.

"All the 2,930 Eth have been taken by that site owners," the hacker said in their message. "I do not have coins. Please redirect your efforts towards those site owners to see if you can recover some of the money."

zkLend responded to the message by asking the hacker to return all the funds left in their wallets to the zkLend wallet address.

A Glimmer of Hope: A Bounty Offer for Recovery

Following the exploit, zkLend proposed the hacker could keep 10% of the funds as a bounty and offered to release the culprit from legal liability and scrutiny from law enforcement if the remaining Ether was returned. This offer deadline passed with no public response from either party.

In a February 19 update to X, zkLend announced that it was now offering a $500,000 bounty for any verifiable information that could lead to the hacker being arrested and the funds recovered. This move suggests that the protocol is committed to recovering as much of the stolen funds as possible.

A Look Back at the Exploit

The $9.6 million exploit occurred on February 11, when an attacker used a small deposit and flash loans to inflate the lending accumulator. The hacker repeatedly deposited and withdrew funds, exploiting rounding errors that became significant due to the inflated accumulator.

The attacker bridged the stolen funds to Ethereum and later failed to launder them through Railgun after protocol policies returned them to the original address. Despite this, the loss of Ether to a phishing website has left many wondering how the hacker fell victim to another scam.

A Devastating Loss: The Impact on the DeFi Ecosystem

The losses to crypto scams, exploits, and hacks have been staggering in recent months. According to blockchain security firm CertiK, losses totaled over $33 million in March, but dropped to $28 million after decentralized exchange aggregator 1inch successfully recovered its stolen funds.

However, the total losses for February remain a significant concern, totaling nearly $1.53 billion. The $1.4 billion attack on Bybit by North Korea's Lazarus Group made up the lion's share and took the title for largest crypto hack ever, doubling the $650 million Ronin bridge hack in March 2022.

As the DeFi ecosystem continues to evolve, it is clear that hackers will always be a threat. However, with the efforts of protocols like zkLend and the recovery of stolen funds through bounties and security measures, there is hope for minimizing these losses in the future.