{"id":22617,"date":"2025-04-01T15:22:55","date_gmt":"2025-04-01T12:22:55","guid":{"rendered":"https:\/\/forklog.com\/en\/hacker-claims-loss-of-2930-eth-on-phishing-site-after-zklend-breach\/"},"modified":"2025-04-01T15:22:55","modified_gmt":"2025-04-01T12:22:55","slug":"hacker-claims-loss-of-2930-eth-on-phishing-site-after-zklend-breach","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/hacker-claims-loss-of-2930-eth-on-phishing-site-after-zklend-breach\/","title":{"rendered":"Hacker Claims Loss of 2930 ETH on Phishing Site After zkLend Breach"},"content":{"rendered":"<p>In response to another offer from the zkLend team to return the stolen funds, the hacker who breached the protocol claimed to have sent 2930 ETH (~$5.4 million) to a fake Tornado Cash website.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/forklog.com\/wp-content\/uploads\/IDM-Etherscan-Google-Chrome-1.webp\" alt=\"IDM-Etherscan-Google-Chrome-1\" class=\"wp-image-255446\"\/><figcaption class=\"wp-element-caption\">Data: <a href=\"https:\/\/etherscan.io\/idm?addresses=0xd89b7236f4ea38a2afc1d614dc3de08a190f1ff5,0xcf31e1b97790afd681723fa1398c5ead9f69b98c&#038;type=1\">Etherscan<\/a>.<\/figcaption><\/figure>\n<p>As a result of the incident on February 12, the Starknet-based L2 project lost <a href=\"https:\/\/forklog.com\/en\/news\/compromised-zklend-protocol-offers-hacker-960000-reward\">~3666 ETH ($9.6 million at the time)<\/a>. The perpetrator was immediately offered a 10% reward and immunity from prosecution in exchange for returning the assets.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>&#8220;Hi, I tried to transfer the funds to Tornado but used a phishing website and lost everything. I am devastated. I am terribly sorry for the destruction and losses caused. All 2930 ETH were taken by the owners of this site. I have no coins,&#8221; the hacker wrote in response to the zkLend team&#8217;s outreach on March 31.<\/p>\n<\/blockquote>\n<p>The perpetrator suggested &#8220;redirecting efforts&#8221; to recover the assets from the operators of the phishing site instead.<\/p>\n<p>Transactions in which the hacker allegedly lost the coins were confirmed by cybersecurity researcher Vladimir S and several other experts, including the administrator of the X-account TornadoCashBot.<\/p>\n<blockquote class=\"twitter-tweet\" data-lang=\"en\">\n<p lang=\"en\" dir=\"ltr\">It seems that the 2,930 ETH stolen from <a href=\"https:\/\/twitter.com\/zkLend?ref_src=twsrc%5Etfw\">@zkLend<\/a> was deposited into Phishing website imitating TornadoCash and was immediately taken away by the phishing website\u2019s operators.<\/p>\n<p>H\/T <a href=\"https:\/\/twitter.com\/TornadoCashBot?ref_src=twsrc%5Etfw\">@TornadoCashBot<\/a><\/p>\n<p>\u2014 Vladimir S. | Officer&#8217;s Notes (@officer_cia) <a href=\"https:\/\/twitter.com\/officer_cia\/status\/1906757686521123161?ref_src=twsrc%5Etfw\">March 31, 2025<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>However, the latter suggested that the zkLend hacker and the owner of the fake Tornado Cash might be the same person. At the very least, both used the same ENS address, safe-relayer.eth.<\/p>\n<blockquote class=\"twitter-tweet\" data-lang=\"en\">\n<p lang=\"en\" dir=\"ltr\">??I found something interesting. The person who stole zklend and the phishing website imitating TornadoCash may be the same person.<a href=\"https:\/\/twitter.com\/zkLend?ref_src=twsrc%5Etfw\">@zkLend<\/a> <a href=\"https:\/\/twitter.com\/officer_cia?ref_src=twsrc%5Etfw\">@officer_cia<\/a> <a href=\"https:\/\/twitter.com\/im23pds?ref_src=twsrc%5Etfw\">@im23pds<\/a><br \/>1. The ENS safe-relayer.eth has been marked on etherscan. We can track it through the transfer records of this ENS <a href=\"https:\/\/t.co\/0M33MNGBl9\">pic.twitter.com\/0M33MNGBl9<\/a><\/p>\n<p>\u2014 TornadoCashBot (@TornadoCashBot) <a href=\"https:\/\/twitter.com\/TornadoCashBot\/status\/1906894890195415108?ref_src=twsrc%5Etfw\">April 1, 2025<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>According to the expert, the domain tornadorth[.]cash has been mentioned in the Telegram chat of the mixing platform since 2024 and attracted attention. The address safe-relayer.eth was embedded in the code of the phishing platform as a relay, although the original mixing service uses a dynamic registry in this case.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>&#8220;Since the source code of the fraudulent site removed safe-relayer.eth, and it still withdraws funds through it from Tornado Cash, it is possible that it is the zkLend hacker,&#8221; concluded the expert.<\/p>\n<\/blockquote>\n<p>Developers of the L2 protocol <a href=\"https:\/\/x.com\/zkLend\/status\/1906953225204564360\">confirmed<\/a> the active movement of the stolen assets by the perpetrator in the past day.\u00a0<\/p>\n<p>According to them, the phishing site has been operational for at least five years, but they currently lack convincing evidence of interaction between the platform and the hacker. The zkLend team has included related addresses in measures to track the funds.<\/p>\n<p>Earlier in March, a trader <a href=\"https:\/\/forklog.com\/en\/news\/trader-loses-1-82-million-in-phishing-scam\">lost $1.82 million<\/a> in USDC on Compound by signing a phishing transaction.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In response to another offer from the zkLend team to return the stolen funds, the hacker who breached the protocol claimed to have sent 2930 ETH (~$5.4 million) to a fake Tornado Cash website. Data: Etherscan. As a result of the incident on February 12, the Starknet-based L2 project lost ~3666 ETH ($9.6 million at [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":22616,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"","news_style_id":"","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1227,44,1314],"class_list":["post-22617","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-cryptocurrency-transactions","tag-cybercrime","tag-tornado-cash"],"aioseo_notices":[],"amp_enabled":true,"views":"51","promo_type":"","layout_type":"","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/22617","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=22617"}],"version-history":[{"count":0,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/22617\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/22616"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=22617"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=22617"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=22617"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}