Hacker Loses $5.4M ETH to Phishing Scam After zkLend Heist

- Hacker loses 2,930 ETH to a phishing scam after stealing from zkLend in February.
- The hacker admitted the loss in an on-chain message and apologized to zkLend.
- zkLend increased its bounty to $500K for information leading to the hacker’s arrest.
In a plot twist straight out of a cyber-heist comedy, a hacker who swiped 2,930 ETH from zkLend just got scammed himself—losing it all to a phishing scheme! The hacker tried to launder his stolen funds through Tornado Cash, only to fall for a fake website. In an ironic turn of events, the scammer became the victim, watching $5.4 million in ETH disappear before his eyes.
In February, the hacker had stolen $9.6 million from zkLend. The attacker had manipulated the protocol’s lending accumulator using flash loans. By repeatedly depositing and withdrawing funds, they created rounding errors that allowed them to steal millions. They then moved the stolen funds to Ethereum but failed to launder them through Railgun.
Following the attack, zkLend offered the hacker a deal. If they returned 90% of the funds, they could keep 10% as a bounty and avoid legal action. The deadline passed without any response. Later, zkLend increased its bounty to $500,000 for any information leading to the hacker’s arrest.
In a series of March 31 transfers, the hacker first sent 100 ETH transactions to an address labeled Tornado.Cash: Router. Later, they made three smaller deposits of 10 ETH each. Around this time, a blockchain user had warned the hacker about the fake website but by then, they had lost everything.
Source: etherscan
After the funds disappeared, zkLend asked the hacker to return any remaining money. The hacker replied that they had nothing left. He said, “I tried to move funds to a Tornado, but I used a phishing website, and all the funds have been lost.”
In an on-chain message to zkLend, the hacker described the loss as devastating and apologized for the damage caused. They further directed the firm to connect with the other website to recover their funds. asked zkLend to focus on the phishing site’s owners to recover the funds.
Related: Hackers Sell Gemini and Binance User Data on Darkweb: Report
Losses from crypto scams and hacks reached over $33 million in March alone. However, that number dropped to $28 million after 1inch recovered stolen funds. While in February, the crypto losses were much higher, with $1.53 billion lost. The biggest attack was the $1.4 billion Bybit hack, reportedly carried out by North Korea’s Lazarus Group.