A bizarrely twisted tale unfolded yesterday in crypto’s underworld of decentralized finance (DeFi). The perpetrator of a multi-million dollar heist against a project called ZKLend (short for “zero knowledge proof lending”) subsequently lost those ill-gotten gains to a second phishing scam.
The ouroboros started on February 11, 2025 when ZKLend lost 3,600 ether (ETH) to its hackers.
Administrators begged them to return the funds and unfortunately, weeks went by with no news. ZKLend announced a $500,000 bounty for the arrest and return of funds, but still no luck.
Then, on March 31, an on-chain chat between the hacker “Fake_Phishing927538” and ZKLend’s token deployer account revealed new, devastating news.
“I tried to move funds to tornado [cash] but I used a phishing website and all the funds have been lost,” Fake_Phishing927538 wrote to the ZKLend team.
“I am devastated. I am terribly sorry for all the havoc and losses caused. All the 2930 eth have been taken by that site owners. I do not have coins.”
Read more: Top Korean paper knew its award went to $3B crypto scam, victims say
What happened to ZKLend users’ money?
At this point, it was hard to know what was real. Why the delay from February 18 to March 31 if the hacker had intended to return the funds? Did a fake Tornado Cash website actually fool an otherwise sophisticated hacker, or did the hacker merely team up with that fake website to manufacture a cover story?
Tornado Cash is a well-known crypto mixing service that obscures transaction trails. A fraudulent imitation of that site, however, overtook control of 2,930 ETH of ZKLend users’ money. The phishing operators swiftly drained the hacker’s wallet, leaving it empty.
Most social media commentary about the incident laughed at the irony of a hacker outmaneuvering another hacker. In this version of the story, a criminal set a sophisticated trap to ensnare unsuspecting victims yet – ironically caught one of its own kind.
In another, far more sinister version of the story, the hacker and the phisher cooperated.
A third cohort of observers dismissed the on-chain message from the hacker on March 31 as a cruel April Fool’s joke given its proximity to the April 1 calendar date. If it is an April Fool’s, it ranks among the cruelest to laugh at the expense of users’ stolen savings.
ZKLend’s latest statement on the 2,930 ETH phishing incident claims, “At this stage, security teams do not have conclusive evidence that the phishing website and the exploiter are connected.”
It has now included the wallets of the new scammers and has monitored “significant movements of funds from the exploiter’s controlled wallet addresses.”
The protocol’s homepage still cites logos from Delphi Digital, CMS Holdings, Starkware, and GBV as though it is still “supported by trusted institutions.”
Got a tip? Send us an email or ProtonMail. For more informed news, follow us on X, Instagram, Bluesky, and Google News, or subscribe to our YouTube channel.
The post Someone stole the stolen money from ZKLend appeared first on Protos.
Protos – Read More