In a twist that could make even the most hardened cybercriminals wince, the hacker behind February’s $9.6 million zkLend exploit claims to have fallen victim to a scam themselves. According to an on-chain message sent on March 31, 2025, the perpetrator reportedly lost 2,930 ETH—worth approximately $5.4 million—to a Tornado Cash phishing site while attempting to launder their ill-gotten gains.
The original hack saw 3,600 ETH stolen through a smart contract vulnerability, with zkLend promptly suspending withdrawals and launching an investigation. The hacker initially ignored the protocol’s 10% bounty offer, instead choosing to bridge the funds to Ethereum and attempt laundering via privacy tools. The incident highlights the continuing debate over privacy coin regulation in cryptocurrency ecosystems where anonymity tools serve both legitimate privacy needs and criminal activities.
“I’m devastated,” the hacker wrote in their message to zkLend. “All 2,930 ETH was taken by the phishing site owners.” The confession included details of sending 100 ETH at a time to an address labeled “Tornado.Cash: Router,” followed by three final transfers of 10 ETH each.
Tornado Cash, a cryptocurrency mixer sanctioned by the U.S. Treasury in 2022, has allegedly been used to launder over $7 billion in virtual currency and has been linked to North Korean state-sponsored hackers. The irony of a thief falling prey to another thief while using a sanctioned service wasn’t lost on the crypto community. The attack mirrors recent security issues where Tornado Cash users conducting transactions via IPFS gateways were unknowingly compromised for months by malicious JavaScript code.
Reactions have been mixed, with some dubbing the incident an elaborate “April Fool’s joke” or karmic justice. Others speculate it might be a diversionary tactic to confuse investigators. Despite missing the February 14 deadline for returning funds, the hacker expressed genuine remorse and apologized for the attack.
Blockchain security firms including Cyvers and PeckShieldAlert have confirmed the transactions to the suspected phishing address, which is linked to the ENS domain safe-relayer.eth.
This strange saga highlights persistent vulnerabilities in DeFi platforms and the hazards of privacy tools. While zkLend previously launched a recovery portal for affected users, they’ve yet to officially respond to the hacker’s latest message.
Meanwhile, security firms and potentially law enforcement continue their investigations into both the original theft and this unusual aftermath.
