Lost Funds Due to Phishing Website
The hacker behind the $9.6 million exploit of the decentralized money-lending protocol zkLend in February claims to have fallen victim to a phishing website impersonating Tornado Cash, resulting in the loss of a significant portion of the stolen funds.
In a message sent to zkLend through Etherscan on March 31, the hacker claimed to have lost 2,930 Ether (ETH) from the stolen funds to a phishing website posing as a front-end for Tornado Cash.
The hacker sent 100 Ether at a time to an address named Tornado.Cash: Router, finishing with three deposits of 10 Ether.
“Hello, I tried to move funds to a Tornado, but I used a phishing website, and all the funds have been lost. I am devastated. I am terribly sorry for all the havoc and losses caused,” the hacker said.
“All the 2,930 Eth have been taken by that site owners. I do not have coins. Please redirect your efforts towards those site owners to see if you can recover some of the money,” they added.
ZkLend responded to the message by asking the hacker to “Return all the funds left in your wallets” to the zkLend wallet address.
However, according to Etherscan, another 25 Ether was then sent to a wallet listed as Chainflip1.
Exploit and Losses
ZkLend suffered an empty market exploit on Feb. 11 when an attacker used a small deposit and flash loans to inflate the lending accumulator, according to the protocol’s Feb. 14 post-mortem.
The hacker then repeatedly deposited and withdrew funds, exploiting rounding errors that became significant due to the inflated accumulator.
The attacker bridged the stolen funds to Ethereum and later failed to launder them through Railgun after protocol policies returned them to the original address.
Following the exploit, zkLend proposed the hacker could keep 10% of the funds as a bounty and offered to release the culprit from legal liability and scrutiny from law enforcement if the remaining Ether was returned.
The offer deadline of Feb. 14 passed with no public response from either party. In a Feb. 19 update to X, zkLend said it was now offering a $500,000 bounty for any verifiable information that could lead to the hacker being arrested and the funds recovered.
Crypto Scams and Hacks
Losses to crypto scams, exploits, and hacks totaled over $33 million, according to blockchain security firm CertiK, but dropped to $28 million after decentralized exchange aggregator 1inch successfully recovered its stolen funds.
Losses to crypto scams, exploits, and hacks totaled nearly $1.53 billion in February. The $1.4 billion Feb. 21 attack on Bybit by North Korea’s Lazarus Group made up the lion’s share and took the title for largest crypto hack ever, doubling the $650 million Ronin bridge hack in March 2022.
Conclusion
In conclusion, the hacker behind the $9.6 million exploit of zkLend claims to have fallen victim to a phishing website impersonating Tornado Cash, resulting in the loss of a significant portion of the stolen funds. The exploit and losses are a reminder of the importance of security and vigilance in the cryptocurrency space. As the industry continues to grow, it is crucial that we prioritize security and work together to prevent these types of attacks from occurring in the future.
FAQs
What is the hack?
The hack refers to the $9.6 million exploit of the decentralized money-lending protocol zkLend in February, which resulted in the theft of a significant portion of the protocol’s funds.
What is the exploit method?
The exploit method used by the hacker was an empty market exploit, which involved using a small deposit and flash loans to inflate the lending accumulator, allowing the hacker to repeatedly deposit and withdraw funds and exploit rounding errors that became significant due to the inflated accumulator.
What is the total loss in the crypto space?
The total loss in the crypto space due to hacks, scams, and other malicious activities is nearly $1.53 billion, with the largest hack being the $1.4 billion Feb. 21 attack on Bybit by North Korea’s Lazarus Group.
What is the current situation with the hacker?
The hacker claims to have lost a significant portion of the stolen funds to a phishing website impersonating Tornado Cash, resulting in the loss of 2,930 Ether (ETH). The hacker is currently working with zkLend to recover the remaining funds and is offering a $500,000 bounty for any verifiable information that could lead to the hacker being arrested and the funds recovered.
What is the current situation with zkLend?
ZkLend is currently working with the hacker to recover the remaining funds and is offering a $500,000 bounty for any verifiable information that could lead to the hacker being arrested and the funds recovered. The protocol is also continuing to improve its security measures to prevent similar attacks from occurring in the future.
