The cryptocurrency world is shaken by new developments in the high-profile case of the breach of the zkLend decentralized lending protocol, which operates on the Starknet network. The hacker, who in February 2025 stole approximately 3,700 ETH (about $9.57 million at that time) from the platform, became a victim of fraud himself. In an attempt to cover the crime tracks through the crypto mixer Tornado Cash, the criminal lost a significant portion of the stolen funds — 2,930 ETH, equivalent to approximately $5.4 million at the current rate. This incident, occurring on the night of March 31, 2025, has already been dubbed by the community as 'ironic retribution,' highlighting the vulnerability of even those who commit cybercrimes.
Initially, the attack on zkLend, conducted on February 12, was considered one of the most technically sophisticated in recent times. The hacker, known only by the address of his wallet (0x64...9109), exploited a vulnerability in the protocol's interest accumulation system related to decimal precision calculations. This allowed him to artificially inflate his balance and withdraw a significant amount in Ethereum. After the theft, the zkLend team attempted to negotiate with the criminal, offering him a 'white hat' — a reward of 10% of the stolen (about 330 ETH) in exchange for returning the rest of the amount. However, the hacker ignored the offer and began moving the funds through various channels, including the Railgun service, where the movement of 706 ETH worth around $1.8 million was observed.
The recent turn of events began when the criminal decided to use Tornado Cash — a popular tool for anonymizing transactions on the blockchain. However, instead of the official site, he followed a phishing link disguised as the Tornado Cash interface (tornadoeth[.]cash). This fraudulent resource, as it turned out, has existed for more than five years and is known in the crypto community as one of the most enduring traps for unsuspecting users. As a result of interacting with the fake site, the hacker lost 2,930 ETH, which was immediately transferred to wallets controlled by operators of the phishing scheme.
Subsequently, the hacker left a message on the blockchain via Etherscan, addressed to the zkLend team: 'I tried to transfer funds through Tornado Cash but landed on a phishing site, and all funds were stolen. I am devastated. I am very sorry for all the chaos and losses I have caused. All 2,930 ETH were taken by the owners of this site. Please focus your efforts on them to try to recover at least some of the money.' This public admission sparked mixed reactions: some considered it sincere remorse, others an attempt to divert attention from himself.
The zkLend team confirmed the incident in an official statement on the X platform, noting that the hacker did indeed interact with the known phishing site. 'At the moment, we have no compelling evidence linking the phishing scheme and the hacker himself,' the project's representatives added, leaving the question of possible staging open.
The news of the hacker losing the stolen funds sparked a storm of discussions in the crypto community. On the X platform, users actively commented on the situation, with opinions divided. Some, like @pvt.eth, sarcastically noted: 'Just in time for April Fool's — great timing for a joke.' Others suggested the hacker might have deliberately moved the funds to another wallet, disguising it as a phishing attack to avoid further prosecution by zkLend and law enforcement. 'It's too convenient to be true,' wrote one user, pointing out that such a scenario could have been pre-planned.
Skepticism is also fueled by the fact that zkLend is actively cooperating with law enforcement agencies and blockchain security firms like Starknet Foundation and Binance Security to track the stolen funds. The loss of 2,930 ETH could have been a way for the hacker to 'cover his tracks,' some experts believe. However, there is currently no concrete evidence supporting this theory, and the investigation is ongoing.
This case is yet another reminder of how dangerous the decentralized finance (DeFi) space remains. Even those with sufficient technical knowledge to conduct complex attacks are not immune to mistakes and fraud. Phishing schemes, like the one that fooled the zkLend hacker, continue to thrive, exploiting users' inattention and their desire for anonymity.
For zkLend, the incident was not only a financial blow but also an opportunity to rethink its approaches to security. Following the February breach, the platform launched a recovery portal for affected users, promising partial compensation and further efforts to recover funds. Now that a significant portion of the stolen amount has ended up in the hands of other fraudsters, the chances of full asset recovery seem even more elusive.
The story of zkLend and its unlucky hacker underscores an old truth: in a world dominated by technology and anonymity, no one can be fully trusted — not even criminals. This case will likely go down in the annals of the crypto industry as an example of how greed and carelessness can turn against those who try to cheat the system.