Hacker Claims Loss of 2930 ETH After Falling Victim to Phishing Website

In response to zkLend’s repeated offer to retrieve the stolen funds, the hacker who breached the protocol claimed to have sent 2930 ETH (approximately $5.4 million) to a counterfeit site resembling Tornado Cash.

As a result of the incident on February 12, the Layer 2 project based on Starknet lost approximately 3666 ETH ($9.6 million at the time). The hacker was immediately offered a 10% reward for the return of the assets and immunity from prosecution.

«Hello, I attempted to transfer the assets to Tornado, but I ended up using a phishing website and lost everything. I am devastated. I deeply regret the destruction and losses caused. All 2930 ETH were taken by the operators of that platform. I do not have any coins,» the hacker stated in a reply to zkLend’s team on March 31.

The hacker advised them to «redirect their efforts» in recovering the assets from him to the operators of the phishing site.

Transactions in which the hacker supposedly lost the coins were confirmed by cybersecurity researcher Vladimir S and several others, including the administrator of the X account TornadoCashBot.

However, the last expert suggested that the zkLend hacker and the owner of the fake Tornado Cash might be the same person. At the very least, both were linked by the same ENS address, safe-relayer.eth.

According to the expert, the website with the domain tornadorth[.]cash had been mentioned in a Telegram chat for the mixing platform since 2024 and had attracted attention. The address safe-relayer.eth was referenced in the code of the phishing platform as a relay, whereas the original mixing service typically employs a dynamic registry.

«Since the source code of the fraudulent website deleted safe-relayer.eth, but it continues to withdraw funds through Tornado Cash, it is possible that this individual is indeed the hacker who breached zkLend,» the expert concluded.

Developers of the L2 protocol confirmed the active movement of the stolen assets in recent days.

According to their reports, the phishing website has been operational for at least five years, though they currently lack convincing evidence linking the site to the hacker. The zkLend team has included related addresses in their asset tracking measures.

It’s worth noting that in March, a trader lost $1.82 million in USDC on Compound by signing a phishing transaction.