zkLend hacker loses $5.4M in ETH to Tornado Cash phishing site

The hacker behind the $9.6 million zkLend (CRYPTO:ZEND) exploit in February has claimed to have lost 2,930 Ether ($5.4 million) to a phishing website impersonating Tornado Cash (CRYPTO:TORN).

In an on-chain message sent to zkLend on March 31, the attacker admitted depositing funds into a fraudulent front-end for the privacy protocol, expressing regret for the loss.

“I tried to move funds to a Tornado, but used a phishing website, and all the funds have been lost. I am devastated. I am terribly sorry for all the havoc and losses caused,” wrote the hacker.

The hacker made several deposits of 100 ETH increments to the phishing address, which was labeled “Tornado.Cash: Router,” followed by three final deposits of 10 ETH.

Despite receiving a warning from another user, “don’t celebrate,” the funds were already lost.

Later, the hacker transferred 25 ETH to a Chainflip1 wallet, despite zkLend’s request to return the remaining funds.

This incident highlights the vulnerabilities within cryptocurrency laundering techniques.

Following the $9.6 million flash loan exploit targeting rounding errors in zkLend’s smart contracts, the hacker attempted to obfuscate the funds through Railgun, but the protocol’s safeguards returned the money.

The loss due to phishing underscores the risks associated with decentralised mixing tools like Tornado Cash, which have become common targets for scammers.

zkLend initially offered a 10% bounty ($330,000) to the hacker for returning 90% of the stolen funds by February 14, but no resolution was reached by the deadline.

The bounty was later increased to $500,000 for information leading to the hacker’s arrest.

The attack contributed to a record-breaking $1.64 billion in crypto losses during Q1 2025, according to Immunefi data.

While DeFi protocols like zkLend accounted for $106.8 million across 38 incidents, breaches in centralised finance, including the $1.4 billion Bybit hack linked to North Korea’s Lazarus Group, dominated the total losses.

The hacker’s apology has sparked scepticism, with some questioning its authenticity.

SlowMist’s Yu Xian noted the message's theatrical tone and the abrupt “retirement” claim, casting doubt on the true intentions behind the communication.

At the time of reporting, the zkLend (ZEND) price was $0.008911, and the Tornado Cash (TORN) price was $7.33.