Karma is a Boomerang! The hacker behind the $9.6 million exploit of the decentralized crypto lending protocol zkLend in February has claimed to have lost a significant portion of the stolen funds after falling victim to a phishing website posing as the token mixer platform Tornado Cash.
Now, the hacker has officially apologized to the zkLend team through an on-chain message, claiming that they are sorry and feel ‘devastated’ and sincerely requested the team to investigate the phishing website and try to recover the lost funds.
The zkLend attack is another blooming flower in the garden of cryptocurrency exploits. Let’s explore this case further.
zkLend Hacker Claims To Have Lost Stolen ETH To Phishing Website Scam
A significant security breach took place in the zkLend platform on February 12, 2025, resulting in the theft of ETH tokens worth $9.6 million. The tokens were then moved to Tornado Cash, a privacy-focused cryptocurrency mixer, to launder them.
Unfortunately, the hacker accidentally transferred the crypto to a phishing website impersonating the front-end for Tornado Cash, costing them 2,390 ETH, worth $5.45 million at current prices.
The price of ETH experienced a steep fall of 3.5%, dropping from $1,840 to $1,775 within 15 minutes after the incident took place. This volatility was followed by a rapid increase in the ETH trading volume across major exchange platforms.
The ETH/USDT pair saw volumes surge from 15,000 ETH to 18,000 ETH during this period, similarly, the ETH/BTC pair also saw an increase from 500 ETH to 600 ETH. This event highlighted the potential risks of using privacy tools like token mixers without confirming their legitimacy.
Before losing the Ether, the zkLend team contacted the hacker and asked them to return 90% of the funds and keep 10% as a reward to be spared from legal liabilities however, the hacker declined the offer and decided to launder the ETH, only to lose them all to another scam.
zkLend has responded to the hacker’s plea, asking them to return all the funds left in their wallets to the platform’s wallet address.
The hacker had planned on obscuring the funds’ origin by moving them through token mixers like Tornado Cash, only to be tricked by scammers.
What really shocked everyone was that the hacker then contacted the zkLend team through on-chain messages, expressing regret and saying the incident had left them devastated and earnestly requesting the team to track down the website and recover the lost funds. However, this confession letter raises doubts about the event’s authenticity.
How The zkLend Hack Took Place?
According to reports from the SlowMist Security Team, on February 12, zkLend, the leading Starknet-based crypto lending platform, was attacked by a hacker, resulting in a loss of $10 million worth of ETH tokens. In this exploit, the hacker took advantage of the fact that the safeMath library utilized by the smart contract performs direct division, which then rounds down when performing division.
The attacker made the first move by making a small donation into an empty WSTETH market on the platform, then used donations to inflate the protocol’s lending accumulator. A series of repeated deposits and withdrawals heightened the value of the lending accumulator further.
The attacker then made two deposits to increase their raw_balance in the protocol to 4. When the hacker made a withdrawal, the burn calculation, a withdrawal amount divided by the accumulator value, resulted in a value of 1.5.
Since the protocol uses integer division, this was rounded down to 1.0, causing a decrease in their raw_balance from 4 to 3 instead of 2.5. When this process was repeated several times, their raw_balance value was artificially increased to 1724, which allowed them to drain all of the tokens deposited in other pools in the zkLend ecosystem.
After the incident was revealed, some from the community humorously called it a ‘hacker’s April Fool’s Day joke’. Others called it a farce, pointing out that the ZKLend hacker might be disguising themselves as the victim to divert attention to the phishing website so they could cover up the flow of funds.
However, this phishing website has been lurking for 5 years. Although the hacker’s wallet has indeed been emptied, the fact that there could be hidden accounts behind it cannot be ruled out.
Final Remarks
At present, the zkLend theft incident has become a ‘what goes around comes around’ drama in the crypto space. Can zkLend recover the lost funds as per the request from the hacker? Or is this just a front to cover up the hacker’s scheme to not return the stolen funds? Is the confession letter from the hacker a genuine apology? Are we the April Fools, or is it the hacker? Keep an eye out for updates about the developing case.