Best crypto insights delivered straight to your inbox.
- The ZKLend hacker responded to the bounty message, stating that he lost 2,930 ETH to a phishing site.
- ZKLend continues to track the funds, notifying exchanges and protocols of new addresses.
- The hacker used safe-relayer.eth, an Ethereum vanity address, which raised suspicions that the same entity owns the spoof site and hacked ZKLend.
The hacker that took 2,930 ETH from the ZK Lend protocol claims to have lost all the funds to another bad player. Instead of sending the ETH to Tornado Cash, the hacker claims all funds were sent it to a phishing website.
The hacker address that stole 2,930 ETH from ZKLend allegedly was hacked in return. The wallet’s owner commented through Etherscan, claiming the funds were lost to a phishing site instead of Tornado Cash. The stolen ETH is valued at around $5.5M as of April 1st.
ZKLend has been negotiating with the hacker to regain most of the funds in exchange for a 10% bounty. The addresses were known and the project was actively communicating with the exploiter until the last moment. In the end, the hacker claimed the funds are no longer in the original address, and have been taken by another bad actor.
The hacker communicated in the same way as the ZKLend team – by issuing an on-chain transaction with zero ETH and a message attached.
The ZKLend team has stated there is no conclusive evidence that the hacker lost control of all funds. The team noted that the funds were sent to an address linked to a spoof site that has been active for five years. There is no conclusive evidence linking the protocol exploiter to the owners of the spoof site’s wallets, but on-chain investigators have found indications that the same entity may be responsible for both hacks.
The lending protocol has not given up on tracking down the lost ETH, and has included the new exploit address as a target. The ZKLend protocol cooperates with centralized exchanges, though there are also decentralized ways to obscure the funds.
Investigators suspect the hacker faked the ETH loss
The sudden claims of another exploit, followed by immediate mixing, also suggest the hacker may be connected to the phishing site. In any case, the ETH coins are now next to impossible to trace, and the hacker may end up retaining the tokens after mixing. On-chain investigators believe the ETH transaction is an early April’s Fool joke, as the hacker did not mention the exact phishing site and the transaction used another route to reach Tornado Cash.
According to on-chain investigators, the stolen funds used an Ethereum vanity address, and did not get sent to one of the Tornado Cash spoof sites directly.
TornadoCashDAO:
zklend再次被盗极有可能是黑客自导自演,被盗资金因手填safe-relayer.eth中继器取款,并不是因为钓鱼,黑客为同一人 https://t.co/FEd22QY9Ph— 法希姆 (@Faith_Blo) April 1, 2025
Tornado Cash itself has warned about potential spoof sites, which are widely known and highly improbable to be mistaken by an Ethereum hacker. On-chain investigators noticed the site in question was most probably tornadoeth.cash, instead of tornado.cash.
Before transferring the bulk of the stolen ETH, the hacker also moved smaller sums and tried mixing without an intermediary. The ZKLend team noticed the activity and continued to notify centralized exchanges and protocols for all new hack-related addresses.
Can the ZKLend funds be tracked?
After mixing, the 2,930 ETH may not be tracked as easily. However, on-chain investigators are making a tentative link between the hacker and the spoof TornadoCash site.
An on-chain investigator noted the hacker transaction went though an Ethereum vanity address, safe-relayer.eth. That same address was once hard-coded into one of the spoof TornadoCash sites. The site’s code versions were monitored by investigators, noticing that safe-relayer.eth appeared for a period of time in 2024.
As of March 31, the safe-relayer.eth address has been removed from the site. This means all other scam transactions go through another intermediary wallet.
However, the hacker still used safe-relayer.eth, even without getting prompted by the site. This led investigators to believe that the hacker wanted to cover his tracks, and was probably in control of safe-relayer.eth and the author of the spoof site.
In the end, instead of obscuring the funds, the ZKLend exploit put extra scrutiny on the tornadoeth.cash site and its potential owners. The attempt to cover the hacker’s tracks may have exposed a wider network of bad actors.
If you're reading this, you’re already ahead. Stay there with our newsletter.
Disclaimer. The information provided is not trading advice. Cryptopolitan.com holds no liability for any investments made based on the information provided on this page. We strongly recommend independent research and/or consultation with a qualified professional before making any investment decisions.
Hristina Vasileva
Hristina Vasileva specializes in DeFi, business, and economic news. She graduated from Sofia University with an MA in Philosophy, after completing a 4-year BA in Business Administration, Journalism, and Mass Communication. She has worked for one of the country’s leading newspapers, covering the commodities and corporate results beat. Currently, Hristina is a contributing news author at Cryptopolitan.
CRASH COURSE
- Which cryptocurrencies can make you money
- How to boost your security with a wallet (and which ones are actually worth using)
- Little-known investment strategies that the pros use
- How to get started investing in crypto (which exchanges to use, the best crypto to buy etc)