TLDR
- Back in February 2025, zkLend was taken for a ride to the tune of $9.6 million.
- A staggering 2,930 ETH, equivalent to $5.4 million, vanished when the thief mistakenly channeled the cryptocurrency to a fraudulent clone of Tornado Cash.
- The sneak attack that emptied zkLend's coffers hinged on flash loans, cleverly bloating the lending metrics and preying on math miscalculations.
- Initially, zkLend attempted to make peace by dangling a 10% bounty carrot if the purloined funds were returned, later switching gears to offer $500,000 for any intel leading to recovery.
- This saga is but a chapter in the story of rampant crypto breaches, where losses hit $1.64 billion in the first quarter of 2025.
With a dollop of irony, the individual who infiltrated zkLend found themselves ensnared by a phishing trap, forfeiting a bulk of the ill-gotten gains.
On-chain communications unfolded, revealing that 2,930 Ether, worth $5.4 million, was rerouted to a Tornado Cash impostor. Etherscan on March 31 In a note full of regret, the hacker lamented, 'I tried to funnel funds through Tornado, but fell prey to a fake site, losing everything. The devastation is profound.'
Evidence from the blockchain chronicles a series of 100 ETH movements to 'Tornado.Cash: Router,' culminating in smaller transfers before the error dawned.
An observant bystander tried to wave the hacker off the path, warning of the faux Tornado Cash address. The thief's somber response: 'It's soul-crushing. An entire fortune, gone with one misstep.'
The nefarious deed against zkLend kicked off on February 11, 2025, using a deft mix of flash loans and deposits to mislead the system.
Using flash loans — a tactic that lets funds boomerang back within one transaction frame — the perpetrator manipulated zkLend's setup, leveraging rounding flaws.
A Tale Reversed: From Digital Bandit to Victim
Following the smash-and-grab, the attacker translated the crypto to Ethereum's network, attempting a laundering move via Railgun only to face a rollback due to the protocol's safeguards.
In the aftermath, zkLend engaged the hacker with an offer of clemency, proposing they keep a slice of the spoils as a peace offering, provided they restore the bulk.
zkLend's Security Breach Autopsy
The calamity unfolded starting February 11 when zkLend endured an assault, losing roughly $9.6 million. Our gratitude goes out to our community and allies for their unwavering support.
To our users,
With no word from the perpetrator by February 14, zkLend upped the stakes on February 19 with a $500,000 bounty for leads on the criminal's trail.
— zkLend (@zkLend) February 14, 2025
Upon learning of the swindler's blow due to the phishing misadventure, zkLend appealed for a return of remaining funds. But, the blockchain shows 25 ETH diverting to an entity tagged 'Chainflip1.'
The zkLend compromise fits a broader puzzle of crypto security gaffes. March 2025 alone clocked losses exceeding $33 million from various cyber scams.
February's track record was even bleaker, recording nearly $1.53 billion in crypto heists, with the significant $1.4 billion heist on Bybit by the Lazarus Group commandeering the headlines.
The colossal Bybit hack dwarfed any prior crypto heists, like Ronin’s $650 million fiasco in 2022, marking an escalating menace.
Immunefi’s Q1 2025 report tags the period as the harshest quarter for crypto security woes, logging a $1.64 billion drain, with zkLend ranking among the top five hits.
According to this report, DeFi systems surrendered $106.8 million within 38 incidents, with Ethereum and BNB Chain emerging as frequent targets.
Though DeFi faces numerous minor raids, centralized financial outfits suffered two, albeit massive, breaches totaling $1.5 billion.
Security pundits underscore this case as a testament to the lurking perils, even for those who exploit loopholes, emphasizing an ever-present need for vigilance.
The paradox of a hacker losing their ill-gotten treasures to a secondary scam serves as a vivid lesson in the unpredictability of the crypto sphere, impacting users and hackers alike.
Maisie boasts a seasoned tenure as a Crypto & Financial news writer, contributing to Moneycheck.com, level-up-casino-app.com, Computing.net and steering Blockfresh.com as Editor in Chief.
