A hacker who drained $5.4 million from zkLend on Starknet fell victim to a phishing scam while laundering the stolen ETH, sparking irony-laced reactions and renewed scrutiny on DeFi security risks.
Background
- On March 31, 2025, zkLend—a DeFi lending protocol on the Starknet blockchain—suffered a major exploit resulting in the theft of 2,930 ETH, worth approximately $5.4 million at the time.
- The hacker swiftly attempted to anonymize the funds using Tornado Cash, an Ethereum-based crypto mixer.
- However, in an unexpected twist, they mistakenly interacted with a phishing site—tornadoeth[.]cash, a fake version of the real service.
- Within minutes, the phishing site drained the stolen ETH in chunks of 100 ETH, funneling the funds to a separate wallet.
- The phishing domain was previously flagged as malicious by MetaMask’s security team in 2023.
Why Should You Pay Attention?
- This incident underscores the multifaceted dangers of DeFi—not only for users but also for malicious actors. It serves as a cautionary tale about the proliferation of phishing sites mimicking popular protocols and raises broader questions about on-chain anonymity tools like Tornado Cash.
- Moreover, some analysts suspect the hacker may have staged the loss as a tax evasion strategy or a cover for internal laundering, adding layers of intrigue to the saga.
Who Said What?
- In an on-chain message to zkLend’s deployer address, the hacker confessed:
"I tried to move funds to Tornado, but I used a phishing website, and all the funds have been lost. I am devastated.”
- zkLend acknowledged the exploit and subsequent mishap in a public statement on April 1, stating that their security team is tracking wallet addresses linked to the phishing scam.
- LANGERIUS, founder of Hunters of Web3, weighed in:
“Imo, both wallets belong to same hacker. People use this method for tax loss harvesting, wash trading, or fake X hacks.”
- Similarly, a blockchain sleuth operating under the alias TornadoCashBot wrote:
“The person who stole zkLend and the phishing website imitating TornadoCash may be the same person. The ENS safe-relayer.eth has been marked on Etherscan, and we can track it through its transfer records.”
Zooming Out
- While the hacker’s loss evokes irony, the broader implications are sobering.
- DeFi continues to attract sophisticated attacks, yet even attackers are vulnerable to the underbelly of the crypto ecosystem.
- Whether this was an unfortunate blunder or a calculated maneuver disguised as a mistake, the event is a reminder to be careful and the need for better phishing protection, user education, and strong infrastructure within DeFi.
