zkLend Hacker Gets a Taste of Instant Karma: $5.4M in Stolen ETH Lost to Phishing Scam

zkLend Hacker Gets a Taste of Instant Karma: $5.4M in Stolen ETH Lost to Phishing Scam.

It sounds unbelievable, but it happened — a hacker who drained millions from zkLend lost everything in a single misstep.

The story began when an attacker managed to drain 2,930 ETH, roughly $5.4 million, from zkLend, a lending protocol built on Ethereum’s layer-2 infrastructure. Like most post-hack routines, the hacker tried to wash the stolen funds through Tornado Cash, a crypto mixer often used to obscure transaction trails.

But that’s where things took an unexpected turn.

Instead of safely laundering the loot, the hacker apparently clicked on a phishing link — and poof, just like that, all the ETH was gone. Not to the authorities. Not to the protocol. But to another thief hiding behind a scam site.

The hacker’s wallet soon posted a message that read more like a digital confession:

“I tried to move funds to Tornado, but I used a phishing website, and all the funds have been lost. I am devastated. I am terribly sorry for all the havoc and losses caused. All the 2930 ETH have been taken by that site’s owners.”

Along with the apology, the hacker asked zkLend’s developers to shift their recovery efforts toward the phishing site operators, suggesting that all hope of retrieving the ETH now rests with them.

Naturally, the crypto community didn’t buy it right away.

Plenty of users — including well-known on-chain analysts — voiced doubts. Some suspected the whole thing might be a clever cover-up. One theory: the hacker controlled both wallets, sent the funds to a second address, then pretended to get scammed. Why? Possibly to write off the “loss” for tax reasons, dodge legal consequences, or simply disappear from the spotlight without further pursuit.

A Web3 researcher known as Web3 Hunter commented that this kind of move isn’t new. Hackers have been known to feign being hacked themselves, especially when the heat is on. Another user, going by DirectorV, echoed that suspicion:

“My instinct says the new wallet belongs to the same hacker. It’s how people do tax loss harvesting, wash sales, or pretend their X account got hacked. Same playbook.”

zkLend, for its part, addressed the speculation. According to a post from their official X account, there’s no solid evidence — at least for now — that links the phishing site to the hacker. However, they’ve added those wallet addresses to their tracking list, just in case.

“At this stage, security teams do not have conclusive evidence that the phishing website and the exploiter are connected. As a precaution, we’ve included these new wallet addresses in our fund tracing efforts.”

The team says they’re actively working with centralized exchanges and law enforcement to follow the trail and hopefully recover the funds — assuming there are still funds left to trace.

Whether this was a rare case of a hacker getting hoisted by their own petard or a calculated act of digital misdirection, one thing’s certain: in crypto, irony is just another day on the blockchain.

Investigations suggest that the individual behind the zkLend exploit may have a history of similar attacks. Analysis by the SlowMist security team indicates that the same attacker was responsible for the EraLend hack on July 25, 2023, which resulted in a loss of approximately $2.76 million.

In both incidents, the attacker employed sophisticated techniques to exploit vulnerabilities in decentralized finance (DeFi) protocols, demonstrating a pattern of targeting DeFi platforms with complex strategies.

More Articles from Lawyer Monthly

 

Leave a Reply

Your email address will not be published. Required fields are marked *