- The zkLend hacker lost all 2,930 stolen ETH to a fake Tornado Cash phishing contract.
- On-chain security analysts confirmed the scam, reinforcing how risky DeFi remains even for hackers.
It was Karma’s revenge in the crypto space as the hacker who stole 2,930 ETH worth about $9.6 million from zkLend has lost it all to a phishing scam. The attacker, attempting to launder the funds through Tornado Cash, later ended up sending everything to a fake version of Tornado Cash website, resulting in an immediate loss.
The original zkLend hack occurred on February 12, when the attacker manipulated a rounding error in the protocol’s smart contracts. By using flash loans and small deposits, they tricked zkLend’s lending accumulator into releasing excess funds. The exploit let them siphon off 2,930 ETH before being detected.
zkLend Security Incident Post Mortem.
— zkLend (@zkLend) February 14, 2025
To our users,
Starting on 11th of February, zkLend suffered an attack resulting in the loss of around $9.6 million USD in funds. We would like to thank our users and partners for their patience and trust in this difficult time. In addition…
In response, zkLend temporarily shut down operations, worked with cybersecurity firms to fix vulnerabilities, and partnered with law enforcement to track the stolen funds.
According to On-chain Analytics Firm Lookonchain, the hacker, while attempting to launder his spoils, fell victim to a phishing scam and lost the entire funds to another thief. This incident is an eye opener to risks involved in using decentralized mixing services for illegal transactions.
Hacker’s Money Laundering Plan Backfires
On-chain data shows that on March 31, the zkLend hacker began sending multiple 100 ETH transactions, thinking they were using Tornado Cash. Instead, the hacker had unknowingly interacted a different phishing contract primarily designed to impersonate the mixer. The stolen funds was drained immediately.
Realizing the horrible mistake, the hacker left an on-chain message to Zklend: “I tried to move funds to Tornado but used a phishing website. All the funds are gone. I’m devastated. I deeply regret all the havoc I caused.” The hacker confessed.
After the hacker’s public message, zkLend replied and urged them to return any remaining funds to a designated recovery wallet. But blockchain records show that 25 ETH was later transferred to a wallet labeled “Chainflip1,” raising speculation about whether some assets are still recoverable.
The Zklend hack issue is just part of the growing trend of high profile cryptocurrency hacks. According to data from Immunefi, Q1 2025 alone has recorded one of the worst cryptocurrencies breaches with hackers stealing over $1.54 Billion of digital assets.
This case highlights the relentless dangers in the DeFi space. Phishing scams, smart contract exploits, and laundering risks are constant threats—not just to users, but even to those trying to game the system. As attacks grow more sophisticated, security education and stronger defenses are more critical than ever.
Highlighted Crypto News for Today
Tether Acquires 8,888 BTC for $735M in Q1 2025, Total Holdings Reach $8.41B
