Hacker Who Stole 2,930 ETH From zkLend Loses It All in Phishing Scheme, Admits Defeat

In a strange occurrence, a hacker was able to capture 2,930 ETH (worth about $5.5 million at the time) from zkLend but has now lost all that money due to falling for a phishing website.

The hacker, who was trying to be a “good actor” and not too different from a law enforcement agency that seizes stolen cryptocurrency, transferred the stolen funds through a series of transactions to TornadoCash, a popular protocol that helps users maintain their privacy. The funds were sent to a site that personifies TornadoCash but is, in actuality, a phishing site. The hackers’ final message, left on the blockchain, expressed regret, admitted defeat, and urged others to target the phishing website’s operators.

The hack took place when the attacker was able to steal a huge sum of money amounting to 2,930 ETH from zkLend, a decentralized lending platform that allows users to securely and efficiently lend and borrow assets. After moving the stolen funds to an address under the attacker’s control, the hacker then tried to clean the money (anonymize it, to be precise) through TornadoCash, a widely used privacy tool that allows Ethereum users to mix their transactions and thereby cover their digital tracks.

Yet, in a serious blunder, the hacker deposited the stolen Ethereum into a phishing website that had masqueraded as Tornado Cash. Phishing scams are a common way for bad actors to extract sensitive information and funds from unsuspecting victims. In this instance, the phishing site was so convincing that it duped the hacker as well.

Within moments of depositing the funds, the hacker discovered that the phishing website had duped them. All the stolen ETH was now in the hands of the scam operators. In a final act of desperation, the hacker left a message on the blockchain, detailing the sequence of events and apologizing for the mess caused by the hack. The hacker not only said “sorry” but also let slip that they had lost all the funds they’d freed up with the hack.

The Ethereum blockchain directly captured the inscribed message from the phisher. The poor pathetic soul dumped onto the blockchain what’s about to happen to their pathetic soul. ‘Hello, I tried to move funds to Tornado but I used a phishing website, and all the funds have been lost… I am terribly sorry for all the havoc and losses caused.’ Yes, it’s taking a while to get through it all, but with each passing moment, this lost soul becomes even more decrepit and subhuman. We might as well enjoy the ride, folks.

The hacker then begged the crypto community to stop concentrating on the taken money and start examining the people who actually run the phishing site. He suggested that if they could figure out who was behind the site, they might be able to get some of that money back. “I’m begging you,” the hacker wrote. “Please work on identifying those site owners and recover some of the money with which you could ‘onboard’ even more people into the crypto community.

The message ended with a bleak acknowledgment of failure. “This will be my last message. It’s better to just end this. Again, I’m sorry.”

Many raised eyebrows across the crypto community when the hacker sent a message expressing what seemed to be genuine remorse. While it may seem a little too on-the-nose for a hacker to admit to wrongdoing and ask for forgiveness, this whole situation has been fueled by the fact that the hacker sent subsequent messages, claiming that the funds were lost due to an error on his part. It has raised the debate over the ethics and consequences of such crimes to a new level. Do we believe this hacker? Is it just more damage control after the loss of a substantial amount of stolen cryptocurrency?

This incident teaches some crucial lessons for both hackers and the wider cryptocurrency world. It emphasizes the risk posed by phishing attacks, especially when interacting with services like TornadoCash that are designed to protect user privacy. More and more of us are using these kinds of tools to obfuscate our transactions. In response, scammers are clearly ramping up their efforts to reel in the not-so-cautious among us via fake sites and other forms of electronic social engineering.

Moreover, this circumstance reminds us of the weaknesses existing in the decentralized finance (DeFi) space. Even though DeFi appears to offer a path toward more financial freedom and privacy, we should remember that the crypto ecosystem is only as safe as the smart contracts and other security systems on which it relies. Anything that’s decentralized (like a lot of stuff in the crypto ecosystem) can also be described as being ungoverned. Put it all together, and we have a recipe for security breaches, hacks, and scams.

In these last words, the hacker asks that people blame the real villains behind this phishing scheme rather than the hackers themselves. It’s an understandable request since the hackers were only taking advantage of a scam that exploited some poor decision-making on the part of the victims involved. But it does bring attention to the unreconciled tension between malicious actors and security measures inside the crypto space.

There might be sympathy for the hacker in the crypto community, but this incident hammers home a vital point: secure your funds, double-check your URLs, and don’t part with your crypto unless you’re certain you aren’t about to get hacked. This cautionary tale showing how large amounts of cryptocurrency can just up and disappear should serve as an even bigger warning for not being hackable in the increasingly hackable world we live in.

Currently, the missing 2,930 ETH seems irretrievably lost. The hacker’s recent admission of defeat effectively shuts the door on any remaining hope of moving or laundering the taken funds. And while it now looks certain that the stolen assets will never be returned, the incriminating on-chain message serves as a permanent reminder of this attack and, in particular, the unexpected consequences of engaging in illicit activities in and around the crypto space.

In the end, this incident works perfectly as a reminder about the danger of cryptocurrency for both criminals and law-abiding citizens. It calls into question the safety of these transactions and, by extension, the whole platform on which the virtual economy is built. It also highlights the issue of phishing scams, which all too often seem to be growing in both number and sophistication. We are promised an imminent appearance by the Ethereum “Sheriff,” but until then, this tale serves as an occasion for reflection.

Disclosure: This is not trading or investment advice. Always do your research before buying any cryptocurrency or investing in any services.

Follow us on Twitter @themerklehash to stay updated with the latest Crypto, NFT, AI, Cybersecurity, and Metaverse news!

The post Hacker Who Stole 2,930 ETH From zkLend Loses It All in Phishing Scheme, Admits Defeat appeared first on The Merkle News.