>
>

Thief Becomes the Victim: zkLend Hacker Loses Entire $5.4M ETH Haul to Fake Tornado Cash

April 1, 2025

A hacker who drained $5.4 million from zkLend on Starknet fell victim to a phishing scam while laundering the stolen ETH, sparking irony-laced reactions and renewed scrutiny on DeFi security risks.

Background

  • On March 31, 2025, zkLend—a DeFi lending protocol on the Starknet blockchain—suffered a major exploit resulting in the theft of 2,930 ETH, worth approximately $5.4 million at the time.
  • The hacker swiftly attempted to anonymize the funds using Tornado Cash, an Ethereum-based crypto mixer.
  • However, in an unexpected twist, they mistakenly interacted with a phishing site—tornadoeth[.]cash, a fake version of the real service.
  • Within minutes, the phishing site drained the stolen ETH in chunks of 100 ETH, funneling the funds to a separate wallet.
  • The phishing domain was previously flagged as malicious by MetaMask’s security team in 2023.

Why Should You Pay Attention?

  • This incident underscores the multifaceted dangers of DeFi—not only for users but also for malicious actors. It serves as a cautionary tale about the proliferation of phishing sites mimicking popular protocols and raises broader questions about on-chain anonymity tools like Tornado Cash.
  • Moreover, some analysts suspect the hacker may have staged the loss as a tax evasion strategy or a cover for internal laundering, adding layers of intrigue to the saga.

Who Said What?

  • In an on-chain message to zkLend’s deployer address, the hacker confessed:

"I tried to move funds to Tornado, but I used a phishing website, and all the funds have been lost. I am devastated.”

  • zkLend acknowledged the exploit and subsequent mishap in a public statement on April 1, stating that their security team is tracking wallet addresses linked to the phishing scam.
  • LANGERIUS, founder of Hunters of Web3, weighed in:

“Imo, both wallets belong to same hacker. People use this method for tax loss harvesting, wash trading, or fake X hacks.”

  • Similarly, a blockchain sleuth operating under the alias TornadoCashBot wrote:

“The person who stole zkLend and the phishing website imitating TornadoCash may be the same person. The ENS safe-relayer.eth has been marked on Etherscan, and we can track it through its transfer records.”

Zooming Out

  • While the hacker’s loss evokes irony, the broader implications are sobering.
  • DeFi continues to attract sophisticated attacks, yet even attackers are vulnerable to the underbelly of the crypto ecosystem.
  • Whether this was an unfortunate blunder or a calculated maneuver disguised as a mistake, the event is a reminder to be careful and the need for better phishing protection, user education, and strong infrastructure within DeFi.

Other Related Read/Listens

Opening MetaMask...
Confirm connection in the extension

The current connected wallet does not hold a LARP. To get access to the Meal Deal please connect a wallet which holds a LARP. Alternatively, visit Opensea to purchase one or visit Join the Meal Deal to purchase a subscription

Go to Meal Deal
Table of contents