Thief Becomes the Victim: zkLend Hacker Loses Entire $5.4M ETH Haul to Fake Tornado Cash

Edyme

April 1, 2025

In an unexpected twist, they mistakenly interacted with a phishing site—tornadoeth[.]cash

A hacker who drained $5.4 million from zkLend on Starknet fell victim to a phishing scam while laundering the stolen ETH, sparking irony-laced reactions and renewed scrutiny on DeFi security risks.

Background

On March 31, 2025, zkLend—a DeFi lending protocol on the Starknet blockchain—suffered a major exploit resulting in the theft of 2,930 ETH, worth approximately $5.4 million at the time.
The hacker swiftly attempted to anonymize the funds using Tornado Cash, an Ethereum-based crypto mixer.
However, in an unexpected twist, they mistakenly interacted with a phishing site—tornadoeth[.]cash, a fake version of the real service.
Within minutes, the phishing site drained the stolen ETH in chunks of 100 ETH, funneling the funds to a separate wallet.
The phishing domain was previously flagged as malicious by MetaMask’s security team in 2023.

Karma hit fast.

Hacker steals 2,930 $ETH($5.4M) from zkLend... then gets phished while using Tornado Cash.

All 2,930 $ETH($5.4M) gone — to another thief.https://t.co/O1ODLgRRTh pic.twitter.com/36AhTSgOwZ
— Lookonchain (@lookonchain) April 1, 2025

Why Should You Pay Attention?

This incident underscores the multifaceted dangers of DeFi—not only for users but also for malicious actors. It serves as a cautionary tale about the proliferation of phishing sites mimicking popular protocols and raises broader questions about on-chain anonymity tools like Tornado Cash.
Moreover, some analysts suspect the hacker may have staged the loss as a tax evasion strategy or a cover for internal laundering, adding layers of intrigue to the saga.

Who Said What?

In an on-chain message to zkLend’s deployer address, the hacker confessed:

"I tried to move funds to Tornado, but I used a phishing website, and all the funds have been lost. I am devastated.”

zkLend acknowledged the exploit and subsequent mishap in a public statement on April 1, stating that their security team is tracking wallet addresses linked to the phishing scam.

Last night, the exploiter of zkLend tried to use Tornado Cash to mix 2930 ETH of the stolen funds and interacted with a known Tornado Cash phising website tornadoeth[.]cash, thereby losing the funds to another party.https://t.co/SiIzVhOZQ3

This website appears to have…
— zkLend (@zkLend) April 1, 2025

LANGERIUS, founder of Hunters of Web3, weighed in:

“Imo, both wallets belong to same hacker. People use this method for tax loss harvesting, wash trading, or fake X hacks.”

Similarly, a blockchain sleuth operating under the alias TornadoCashBot wrote:

“The person who stole zkLend and the phishing website imitating TornadoCash may be the same person. The ENS safe-relayer.eth has been marked on Etherscan, and we can track it through its transfer records.”

Because the source code of the phishing website has removed safe-relayer.eth, but it still withdraw funds from TornadoCash through safe-relayer.eth, so safe-relayer.eth may be the hacker who stole zklend.#TornadoCash
— TornadoCashBot (@TornadoCashBot) April 1, 2025

Zooming Out

While the hacker’s loss evokes irony, the broader implications are sobering.
DeFi continues to attract sophisticated attacks, yet even attackers are vulnerable to the underbelly of the crypto ecosystem.
Whether this was an unfortunate blunder or a calculated maneuver disguised as a mistake, the event is a reminder to be careful and the need for better phishing protection, user education, and strong infrastructure within DeFi.