David Edwards
Ironically, the person behind the $9.57 million zkLend exploit in February has now been tricked by a phishing scam while trying to launder the money that was taken. The hacker alleges that after unintentionally connecting with a fake version of Tornado Cash, a cryptocurrency mixing service, they lost 2,930 Ether (ETH), or almost $5.4 million.
The story started in February when a major security compromise occurred in zkLend, a decentralized lending protocol on the Starknet network. The attacker manipulated rounding mistakes to artificially inflate their balance and steal almost 3,700 ETH by taking advantage of a decimal precision flaw in zkLend’s smart contracts. In response, zkLend tried to engage in negotiations with the offender by providing a 10% reward in exchange for the restoration of the remaining cash and temporarily halting withdrawals. There was quiet in response to these overtures.
The hacker just apologized in an on-chain message, saying:
“I tried to move funds to Tornado, but I used a phishing website, and all the funds have been lost. I am inconsolable. I am terribly sorry for all the havoc and losses caused.”
The cryptocurrency community is skeptical of this development. Some analysts doubt the hacker’s assertion, speculating that it could be a ploy to deceive investigators and hide the real location of the money. Others hypothesize that the hacker may have staged the phishing incident to appear to have lost and avoid more investigation.
Currently, zkLend is working with law enforcement and security companies to track down and retrieve the stolen assets. In order to help impacted consumers with the restitution process, the platform has now introduced a Recovery Portal.
