The hacker behind the $9.6 million exploit of the decentralized money-lending protocol zkLend in February claims they’ve simply fallen sufferer to a phishing web site impersonating Tornado Cash, ensuing within the lack of a good portion of the stolen funds.
In a message despatched to zkLend by means of Etherscan on March 31, the hacker claimed to have misplaced 2,930 Ether (ETH) from the stolen funds to a phishing website posing as a front-end for Tornado Cash.
In a sequence of March 31 transfers, the zkLend thief sent 100 Ether at a time to an deal with named Tornado.Cash: Router, ending with three deposits of 10 Ether.
“Hello, I tried to move funds to a Tornado, but I used a phishing website, and all the funds have been lost. I am devastated. I am terribly sorry for all the havoc and losses caused,” the hacker mentioned.
The hacker behind the zkLend exploit claims to have misplaced many of the funds to a phishing web site posing as a front-end for Tornado Cash. Source: Etherscan
“All the 2,930 Eth have been taken by that site owners. I do not have coins. Please redirect your efforts towards those site owners to see if you can recover some of the money,” they added.
zkLend responded to the message by asking the hacker to “Return all the funds left in your wallets” to the zkLend pockets deal with. However, in accordance with Etherscan, one other 25 Ether was then sent to a pockets listed as Chainflip1.
Earlier, one other consumer warned the exploiter in regards to the error, telling them, “don’t celebrate,” as a result of all of the funds have been despatched to the rip-off Tornado Cash URL.
“It is so devastating. Everything gone with one wrong website,” the hacker replied.
Another consumer warned the zkLend exploiter in regards to the mistake, however it was too late. Source: Etherscan
How zkLend was exploited for $9.6 million
zkLend suffered an empty market exploit on Feb. 11 when an attacker used a small deposit and flash loans to inflate the lending accumulator, according to the protocol’s Feb. 14 autopsy.
The hacker then repeatedly deposited and withdrew funds, exploiting rounding errors that grew to become important because of the inflated accumulator.
The attacker bridged the stolen funds to Ethereum and later didn’t launder them by means of Railgun after protocol insurance policies returned them to the unique deal with.
Following the exploit, zkLend proposed the hacker could keep 10% of the funds as a bounty and supplied to launch the offender from authorized legal responsibility and scrutiny from regulation enforcement if the remaining Ether was returned.
Related: DeFi protocol SIR.trading loses entire $355K TVL in ‘worst news’ possible
The supply deadline of Feb. 14 handed with no public response from both get together. In a Feb. 19 replace to X, zkLend said it was now providing a $500,000 bounty for any verifiable info that would result in the hacker being arrested and the funds recovered.
Losses to crypto scams, exploits and hacks totaled over $33 million, in accordance with blockchain safety agency CertiK, however dropped to $28 million after decentralized alternate aggregator 1inch successfully recovered its stolen funds.
Losses to crypto scams, exploits and hacks totaled nearly $1.53 billion in February. The $1.4 billion Feb. 21 assault on Bybit by North Korea’s Lazarus Group made up the lion’s share and took the title for largest crypto hack ever, doubling the $650 million Ronin bridge hack in March 2022.
Magazine: Lazarus Group’s favorite exploit revealed — Crypto hacks analysis
Read MoreCointelegraph.com News