In response to another offer from the zkLend team to return the stolen funds, the hacker who compromised the protocol stated that they sent 2930 ETH (~$5.4 million) to a fake Tornado Cash site.
As a result of the incident on February 12, the L2 project based on Starknet lost approximately 3666 ETH ($9.6 million at the time). The hacker was immediately offered a 10% reward of the total amount for returning the assets and immunity from prosecution.
“Hi, I tried to transfer the funds to Tornado, but I used a phishing website and lost everything. I’m devastated. I deeply regret the damage and losses caused. All 2930 ETH were taken by the owners of that platform. I have no coins,” the hacker wrote in response to zkLend’s appeal on March 31.
The hacker advised to “redirect efforts” to recover the assets from the operators of the phishing site instead of them.
Transactions in which the hacker supposedly lost the coins were confirmed by cybersecurity researcher Vladimir S and several other experts, including the administrator of the X-account TornadoCashBot.
It seems that the 2,930 ETH stolen from @zkLend was deposited into Phishing website imitating TornadoCash and was immediately taken away by the phishing website’s operators.
— Vladimir S. | Officer's Notes (@officer_cia) March 31, 2025
H/T @TornadoCashBot
However, the latter suggested that the zkLend hacker and the owner of the fake Tornado Cash site could be the same person. At least, both used the same ENS address safe-relayer.eth.
🚨🚨I found something interesting. The person who stole zklend and the phishing website imitating TornadoCash may be the same person.@zkLend @officer_cia @im23pds
— TornadoCashBot (@TornadoCashBot) April 1, 2025
1. The ENS safe-relayer.eth has been marked on etherscan. We can track it through the transfer records of this ENS pic.twitter.com/0M33MNGBl9
According to the expert, the site with the domain tornadorth[.]cash had been featured in a Telegram chat of the mixing platform since 2024 and caught attention. The safe-relayer.eth address was listed in the phishing platform’s code as a relayer, while the original mixing service uses a dynamic registry in this case.
“Since the fraudulent site’s source code removed safe-relayer.eth, yet it continues to withdraw funds through it from Tornado Cash, it is likely that this is the hacker who compromised zkLend,” the expert concluded.
Developers of the L2 protocol confirmed the active movement of the stolen assets in the last 24 hours.
According to them, the phishing site has been operating for at least five years, but they currently have no solid evidence of its interaction with the hacker. The zkLend team has included related addresses in their tracking efforts.
Reminder: in March, a trader lost $1.82 million in USDC on Compound by signing a phishing transaction.
Cryptol – your source for the latest news on cryptocurrencies, information technology, and decentralized solutions. Stay informed about the latest trends in the digital world.