ZKLend hacker loses all funds to phishing site spoofing Tornado Cash

The hacker that took 2,930 ETH from the ZK Lend protocol claims to have lost all the funds to another bad player. Instead of sending the ETH to Tornado Cash, the hacker claims all funds were sent it to a phishing website.

The hacker address that stole 2,930 ETH from ZKLend allegedly was hacked in return. The wallet’s owner commented through Etherscan, claiming the funds were lost to a phishing site instead of Tornado Cash. The stolen ETH is valued at around $5.5M as of April 1st.

ZKLend has been negotiating with the hacker to regain most of the funds in exchange for a 10% bounty. The addresses were known and the project was actively communicating with the exploiter until the last moment. In the end, the hacker claimed the funds are no longer in the original address, and have been taken by another bad actor. 

The hacker communicated in the same way as the ZKLend team – by issuing an on-chain transaction with zero ETH and a message attached. 

The ZKLend team has stated there is no conclusive evidence that the hacker lost control of all funds. The team noted that the funds were sent to an address linked to a spoof site that has been active for five years. There is no conclusive evidence linking the protocol exploiter to the owners of the spoof site’s wallets, but on-chain investigators have found indications that the same entity may be responsible for both hacks.

The lending protocol has not given up on tracking down the lost ETH, and has included the new exploit address as a target. The ZKLend protocol cooperates with centralized exchanges, though there are also decentralized ways to obscure the funds. 

Investigators suspect the hacker faked the ETH loss

The sudden claims of another exploit, followed by immediate mixing, also suggest the hacker may be connected to the phishing site. In any case, the ETH coins are now next to impossible to trace, and the hacker may end up retaining the tokens after mixing. On-chain investigators believe the ETH transaction is an early April’s Fool joke, as the hacker did not mention the exact phishing site and the transaction used another route to reach Tornado Cash. 

According to on-chain investigators, the stolen funds used an Ethereum vanity address, and did not get sent to one of the Tornado Cash spoof sites directly. 

TornadoCashDAO：
zklend再次被盗极有可能是黑客自导自演，被盗资金因手填safe-relayer.eth中继器取款，并不是因为钓鱼，黑客为同一人 https://t.co/FEd22QY9Ph

— 法希姆 (@Faith_Blo) April 1, 2025

Tornado Cash itself has warned about potential spoof sites, which are widely known and highly improbable to be mistaken by an Ethereum hacker. On-chain investigators noticed the site in question was most probably tornadoeth.cash, instead of tornado.cash. 

Before transferring the bulk of the stolen ETH, the hacker also moved smaller sums and tried mixing without an intermediary. The ZKLend team noticed the activity and continued to notify centralized exchanges and protocols for all new hack-related addresses. 

Can the ZKLend funds be tracked?

After mixing, the 2,930 ETH may not be tracked as easily. However, on-chain investigators are making a tentative link between the hacker and the spoof TornadoCash site. 

An on-chain investigator noted the hacker transaction went though an Ethereum vanity address, safe-relayer.eth. That same address was once hard-coded into one of the spoof TornadoCash sites. The site’s code versions were monitored by investigators, noticing that safe-relayer.eth appeared for a period of time in 2024.

As of March 31, the safe-relayer.eth address has been removed from the site. This means all other scam transactions go through another intermediary wallet. 

However, the hacker still used safe-relayer.eth, even without getting prompted by the site. This led investigators to believe that the hacker wanted to cover his tracks, and was probably in control of safe-relayer.eth and the author of the spoof site. 

In the end, instead of obscuring the funds, the ZKLend exploit put extra scrutiny on the tornadoeth.cash site and its potential owners. The attempt to cover the hacker’s tracks may have exposed a wider network of bad actors. 

Cryptopolitan Academy: Want to grow your money in 2025? Learn how to do it with DeFi in our upcoming webclass. Save Your Spot