In response to another offer from the zkLend team to return the stolen funds, the hacker who breached the protocol claimed to have sent 2930 ETH (~$5.4 million) to a fake Tornado Cash website.
As a result of the incident on February 12, the Starknet-based L2 project lost ~3666 ETH ($9.6 million at the time). The perpetrator was immediately offered a 10% reward and immunity from prosecution in exchange for returning the assets.
“Hi, I tried to transfer the funds to Tornado but used a phishing website and lost everything. I am devastated. I am terribly sorry for the destruction and losses caused. All 2930 ETH were taken by the owners of this site. I have no coins,” the hacker wrote in response to the zkLend team’s outreach on March 31.
The perpetrator suggested “redirecting efforts” to recover the assets from the operators of the phishing site instead.
Transactions in which the hacker allegedly lost the coins were confirmed by cybersecurity researcher Vladimir S and several other experts, including the administrator of the X-account TornadoCashBot.
It seems that the 2,930 ETH stolen from @zkLend was deposited into Phishing website imitating TornadoCash and was immediately taken away by the phishing website’s operators.
H/T @TornadoCashBot
— Vladimir S. | Officer’s Notes (@officer_cia) March 31, 2025
However, the latter suggested that the zkLend hacker and the owner of the fake Tornado Cash might be the same person. At the very least, both used the same ENS address, safe-relayer.eth.
??I found something interesting. The person who stole zklend and the phishing website imitating TornadoCash may be the same person.@zkLend @officer_cia @im23pds
1. The ENS safe-relayer.eth has been marked on etherscan. We can track it through the transfer records of this ENS pic.twitter.com/0M33MNGBl9— TornadoCashBot (@TornadoCashBot) April 1, 2025
According to the expert, the domain tornadorth[.]cash has been mentioned in the Telegram chat of the mixing platform since 2024 and attracted attention. The address safe-relayer.eth was embedded in the code of the phishing platform as a relay, although the original mixing service uses a dynamic registry in this case.
“Since the source code of the fraudulent site removed safe-relayer.eth, and it still withdraws funds through it from Tornado Cash, it is possible that it is the zkLend hacker,” concluded the expert.
Developers of the L2 protocol confirmed the active movement of the stolen assets by the perpetrator in the past day.
According to them, the phishing site has been operational for at least five years, but they currently lack convincing evidence of interaction between the platform and the hacker. The zkLend team has included related addresses in measures to track the funds.
Earlier in March, a trader lost $1.82 million in USDC on Compound by signing a phishing transaction.