Hacker Becomes the Hacked: zkLend Exploiter Claims to Lose $5.4M to Scam

The hunter has become the hunted—or so they claim. In a bizarre twist of events, the hacker behind zkLend’s $9.57 million exploit has allegedly lost more than half of their stolen stash to a phishing scam while attempting to launder the funds through Tornado Cash.

The Heist Backfires

Back in February 2025, just before Valentine’s Day, zkLend—a Starknet-based lending protocol—fell victim to a sophisticated attack. The hacker, known only by their blockchain address (0x64…9109), manipulated a decimal precision vulnerability in zkLend’s lending accumulator, artificially inflating their balance and siphoning off about 3,700 ETH (roughly $9.57 million at the time).

In response, zkLend swiftly paused withdrawals and extended an olive branch to the attacker, offering a 10% white hat bounty in exchange for returning the remaining funds. The hacker, however, remained silent, opting instead to distribute the stolen assets across multiple channels—including a $1.8 million transfer via Railgun.

Then, just when everyone assumed they had gotten away with it, an unexpected message surfaced on-chain from the exploiter.

A Costly Mistake

According to the message, the hacker attempted to use Tornado Cash—a popular crypto-mixing service—to obfuscate the origins of the stolen ETH. However, they allegedly fell prey to a long-running phishing scam. The fraudulent website, tornadoeth[.]cash, immediately drained their entire remaining balance of 2,930 ETH, worth about $5.4 million.

The attacker, now sounding uncharacteristically remorseful, wrote:

“Hello, I tried to move funds to Tornado, but I used a phishing website and all the funds have been lost. I am devastated. I am terribly sorry for all the havoc and losses caused. All the 2,930 ETH have been taken by that site’s owners… Please redirect your efforts towards those site owners to see if you can recover some of the money.”

zkLend acknowledged the incident in a post on X, confirming that the hacker had interacted with a well-known phishing scam that had been operational for over five years.

A Suspicious Disappearance?

Not everyone is buying the hacker’s sob story. While some found poetic justice in the situation, others in the crypto community have raised doubts about the legitimacy of the claim. Could this be an elaborate ruse to throw investigators off track?

Skeptics argue that the supposed phishing loss could be a calculated move—a way for the hacker to “disappear” the stolen funds under the guise of being scammed. Given that zkLend has been actively tracking the missing crypto alongside law enforcement and blockchain security firms, a staged loss could serve as a convenient way to slip away unnoticed.

Crypto Twitter was quick to weigh in, with user @pvt.eth cheekily commenting, “Right about time for April Fool.” Others pointed out that the hacker could have simply transferred the funds to a new wallet, disguising it as a phishing attack.

@0xGekko echoed the skepticism, posting: “Meh, screams more like the hacker is trying to avoid any heat from a possible investigation.”

What Comes Next?

For now, zkLend is treating the incident as a legitimate loss, though no concrete evidence has surfaced to confirm whether the phishing website and the hacker are connected. If true, this blunder marks one of the most ironic moments in crypto heist history, where the thief gets robbed before they can enjoy their stolen fortune.

Whether this was an actual misstep or a cunning diversion, one thing is certain: the zkLend saga is far from over. If law enforcement is still on the hacker’s trail, they might need more than a fabricated phishing story to escape accountability.