Hacker Loses $5.4M in Phishing Scam After zkLend Exploit

The hacker behind the zkLend exploit, which resulted in a loss of $9.57 million, has reportedly fallen victim to a phishing scam. The hacker, who had successfully manipulated flash loans and small deposits to artificially inflate the lending accumulator, attempted to launder the stolen Ether. However, in a twist of irony, the hacker sent 2,930 Ether, valued at approximately $5.4 million, to a phishing site, mistakenly believing it to be a valid Tornado Cash address.

Back in February 2025, just before Valentine’s Day, zkLend—a Starknet-based lending protocol—fell victim to a sophisticated attack. The hacker, known only by their blockchain address (0x64…9109), manipulated a decimal precision vulnerability in zkLend’s lending accumulator, artificially inflating their balance and siphoning off about 3,700 ETH (roughly $9.57 million at the time).

In response, zkLend swiftly paused withdrawals and extended an olive branch to the attacker, offering a 10% white hat bounty in exchange for returning the remaining funds. The hacker, however, remained silent, opting instead to distribute the stolen assets across multiple channels—including a $1.8 million transfer via Railgun.

Then, just when everyone assumed they had gotten away with it, an unexpected message surfaced on-chain from the exploiter. According to the message, the hacker attempted to use Tornado Cash—a popular crypto-mixing service—to obfuscate the origins of the stolen ETH. However, they allegedly fell prey to a long-running phishing scam. The fraudulent website, tornadoeth[.]cash, immediately drained their entire remaining balance of 2,930 ETH, worth about $5.4 million.

The attacker, now sounding uncharacteristically remorseful, wrote: “Hello, I tried to move funds to Tornado, but I used a phishing website and all the funds have been lost. I am devastated. I am terribly sorry for all the havoc and losses caused. All the 2,930 ETH have been taken by that site’s owners… Please redirect your efforts towards those site owners to see if you can recover some of the money.”

zkLend acknowledged the incident in a post on X, confirming that the hacker had interacted with a well-known phishing scam that had been operational for over five years. The incident highlights the vulnerabilities within decentralized finance (DeFi) protocols, particularly the misuse of flash loans. Flash loans allow for borrowing and repayment within a single transaction blockXYZ--, enabling attackers to exploit system flaws. The zkLend attack underscores the need for enhanced security measures and vigilance within the DeFi space.

Following the exploit, zkLend offered the hacker a 10% bounty to return the remaining stolen funds. This approach is part of a broader trend in DeFi, where platforms are opting for negotiation over legal action to recover stolen assets and create a safer environment. The community's response to the incident has emphasized the importance of cybersecurity and the need for users to exercise caution when interacting with decentralized applications (dApps).

Not everyone is buying the hacker’s sob story. While some found poetic justice in the situation, others in the crypto community have raised doubts about the legitimacy of the claim. Could this be an elaborate ruse to throw investigators off track? Skeptics argue that the supposed phishing loss could be a calculated move—a way for the hacker to “disappear” the stolen funds under the guise of being scammed. Given that zkLend has been actively tracking the missing crypto alongside law enforcement and blockchain security firms, a staged loss could serve as a convenient way to slip away unnoticed.

For now, zkLend is treating the incident as a legitimate loss, though no concrete evidence has surfaced to confirm whether the phishing website and the hacker are connected. If true, this blunder marks one of the most ironic moments in crypto heist history, where the thief gets robbed before they can enjoy their stolen fortune. Whether this was an actual misstep or a cunning diversion, one thing is certain: the zkLend saga is far from over. If law enforcement is still on the hacker’s trail, they might need more than a fabricated phishing story to escape accountability.

The zkLend hack is one of many recent incidents that have raised concerns about the security of DeFi platforms. The increasing frequency of such exploits underscores the necessity for comprehensive security solutions to protect digital assets. As the DeFi space continues to evolve, builders and users must remain vigilant, implement robust safety measures, and understand the inherent risks associated with these protocols. Proactive risk minimization and the continuous renewal of safety protocols will be crucial in safeguarding digital assets and ensuring the long-term viability of DeFi.