TLDR
- zkLend protocol was exploited for $9.6 million in February 2025
- Hacker lost 2,930 ETH ($5.4 million) by accidentally sending funds to a fake Tornado Cash phishing site
- The original exploit used flash loans to inflate the lending accumulator and exploit rounding errors
- zkLend had offered the hacker a 10% bounty to return funds, then later offered $500,000 for information leading to recovery
- This incident is part of a larger trend of crypto security breaches, with $1.64 billion stolen in Q1 2025
The hacker who stole $9.6 million from decentralized lending protocol zkLend in February has fallen victim to a phishing scam, losing most of the stolen funds in an ironic turn of events.
According to on-chain messages sent to zkLend through Etherscan on March 31, the hacker lost 2,930 Ether (ETH) worth about $5.4 million. The funds were sent to a fake website that was pretending to be Tornado Cash, a popular crypto mixing service.
“I tried to move funds to a Tornado, but I used a phishing website, and all the funds have been lost. I am devastated,” the hacker wrote in their message to zkLend. “I am terribly sorry for all the havoc and losses caused.”
On-chain data shows the hacker made several transfers of 100 ETH at a time to an address named “Tornado.Cash: Router.” They finished with three smaller deposits of 10 ETH each before realizing their mistake.
Another user had attempted to warn the hacker about their error, telling them “don’t celebrate” because the funds were sent to a scam Tornado Cash URL. “It is so devastating. Everything gone with one wrong website,” the hacker replied.
The original exploit of zkLend took place on February 11, 2025. The attacker used a combination of small deposits and flash loans to artificially inflate the protocol’s lending accumulator.
Flash loans allow users to borrow and repay funds within a single transaction block. In this case, the hacker used them to manipulate zkLend’s system and exploit rounding errors.
From Thief to Victim: A Crypto Reversal
After the initial attack, the hacker bridged the stolen funds to the Ethereum network. They later tried to launder the money through Railgun but failed when protocol policies returned the funds to the original address.
zkLend responded to the hack by offering terms to the attacker. The protocol proposed that the hacker could keep 10% of the funds as a bounty if they returned the rest, along with a promise not to pursue legal action.
zkLend Security Incident Post Mortem.
To our users,
Starting on 11th of February, zkLend suffered an attack resulting in the loss of around $9.6 million USD in funds. We would like to thank our users and partners for their patience and trust in this difficult time. In addition…
— zkLend (@zkLend) February 14, 2025
When the February 14 deadline passed without a response, zkLend changed tactics. On February 19, the protocol announced a $500,000 bounty for information leading to the hacker’s arrest and the recovery of funds.
After learning about the hacker’s loss to the phishing scam, zkLend asked them to “Return all the funds left in your wallets” to the protocol’s address. However, blockchain records show another 25 ETH was then sent to a different wallet listed as “Chainflip1.”
The zkLend incident is part of a larger pattern of security issues in the cryptocurrency sector. According to blockchain security firm CertiK, losses to crypto scams, exploits, and hacks totaled over $33 million in March 2025 alone.
February 2025 was even worse, with crypto-related crimes resulting in nearly $1.53 billion in losses. The largest portion came from a $1.4 billion attack on Bybit by North Korea’s Lazarus Group on February 21, which now holds the record for the largest crypto hack ever.
This massive hack doubled the previous record of $650 million stolen in the Ronin bridge hack of March 2022, showing how the scale of crypto attacks continues to grow.
According to Immunefi’s Q1 2025 report, the first three months of 2025 saw the worst quarter for crypto security breaches in history. Hackers stole a total of $1.64 billion during this period, with the zkLend hack being the fifth-largest exploit.
The report found that decentralized finance (DeFi) protocols lost $106.8 million across 38 different incidents. Ethereum and BNB Chain were the most frequently targeted networks for these attacks.
While DeFi platforms experienced multiple smaller attacks, centralized finance platforms saw just two incidents. However, those two breaches resulted in a much larger total of $1.5 billion in losses.
Security experts point to this case as a reminder of the dangers that exist even for those who exploit vulnerabilities themselves. The hacker’s mistake highlights the need for caution when interacting with any crypto services, as convincing phishing sites can fool even technically skilled individuals.
The irony of a hacker losing stolen funds to another scam has not been lost on the crypto community. This case serves as a stark reminder of the risks inherent in the cryptocurrency ecosystem, affecting everyone from regular users to malicious actors.
