zkLend Hacker Claims 2,930 ETH Lost to Phishing, but Evidence Points to Self-Deception

On March 31, a hacker who previously exploited zkLend found themselves in an ironic twist of fate. According to blockchain analyst Vladimir S. (@officer_cia), the hacker reportedly lost 2,930 ETH in stolen funds after falling victim to a phishing website disguised as Tornado Cash. The phishing website operator allegedly siphoned the funds, leaving the hacker empty-handed.

The hacker left an on-chain message addressed to zkLend, pleading for assistance in tracking down the phishing website operator to recover the stolen funds. The message read: "Hello, I tried to move funds to tornado but I used a phishing website and all the funds have been lost. I am devastated. I am terribly sorry for all the havoc and losses caused. All the 2930 eth have been taken by that site owners. I do not have coins. Please redirect your efforts towards those site owners to see if you can recover some of the money. This will be my last message. Its better to end this all. Again, I am sorry."

Source: etherscan

In response, zkLend urged the hacker to return any remaining funds in their possession, stating: "Return all the funds left in your wallets to this address."

Source: etherscan

Investigation Unveils Possible Deception

Vladimir S. and fellow investigator @Whistleblowe007 analyzed the largest withdrawals from Tornado Cash on March 31, identifying five addresses suspected of funneling the stolen funds into the mixer.

Meanwhile, another investigator, @TornadoCashBot, delved deeper into the phishing website’s ENS transfer records and source code. His findings suggest a more sinister narrative: the hacker and the phishing website operator may, in fact, be the same individual.

@TornadoCashBot traced the phishing website, tornadoeth.cash, which had been flagged as suspicious in Tornado Cash’s Telegram group as early as 2024. Screenshots from 2025 show that the phishing site’s source code hardcoded an ENS address, safe-relayer.eth, rather than using Tornado Cash's official Relayer Registry contract. This deviation from standard practice raised significant red flags.

Interestingly, safe-relayer.eth was later removed from the phishing website’s source code, further fueling suspicions. @TornadoCashBot shared screenshots of the address transferring funds, asserting: "It means that the hacker who stole zkLend is lying, and he was not phished."

To stay updated on the latest developments in this intriguing case, make sure to follow us for real-time updates and in-depth analysis.