The hacker behind the $ 9.6 million Exploit in February claims that that they had just been the victim of a phishing website that spent a tornado bar, which led to a major a part of the stolen fund.
In a message that was sent to Zklend via Ethercan on March 31, the Hacker, 2,930 Ether (Eth), claimed to have lost from the stolen funds to a phishing website that spends a front-end for tornado bar money.
In a series of transfers on March 31, the Zklend -thief 100 Ether sent an address called Tornado.money: router and ends with three insoles of 10 ether.
“Hello, I attempted to maneuver medium to a tornado, but I used a phishing website and all of the means have been lost. I’m destroyed. I’m terribly sorry for all of the chaos caused,” said the hacker.
The hacker behind the ZKLEND-Exploit claims to have lost most funds to a phishing website that starts as a front end for tornado bar money. Source: Ethercan
“Every 2,930 ETH were recorded by these site owners. I actually have no coins. Please transfer your efforts to those site owners whether or not they can get a part of the a reimbursement,” she added.
Zklend replied to the news by asking the hacker to “return all of the remedies remaining of their wallets to the ZKLEND letters' address. According to the Ethercan, nevertheless, one other 25 ether were sent to a wallet that’s listed as chainflip1.
In the past, one other user warned the exploitation of the error and told them: “Do not have a good time” because all of the technique of the money url of the fraudster Tornado were sent.
“It is so devastating. Everything is gone with a mistaken website,” replied the hacker.
Another user warned the Zklend -Exploiter of the error, nevertheless it was too late. Source: Ethercan
How zklend was exploited for 9.6 million US dollars
On February 11, Zklend suffered an empty market use obligation when an attacker used a small deposition and flash loan to inflate the credit captum after February 14 of the protocol.
The hacker then repeatedly removed and pulled back fund, which was used to take advantage of circulation errors that were significant as a result of the inflated accumulator.
The attacker bridged the stolen agents to Ethereum and will later not wash them by Railgun after the protocol guidelines had returned them to the unique address.
According to the exploit, the hacker could keep 10% of the funds as a bounty, and offered to release the wrongdoer from the legal liability and examination of the law enforcement authorities if the remaining ether was returned.
The offer period of February 14 passed with no public answer from each parties. In an update on February 19 to X, Zklend announced that it now offers a bonus of 500,000 US dollars for verifiable information that would cause the hacker to be arrested and the funds restored.
According to the blockchain security company Certik, the losses of crypto fraud, heroic deeds and hacks in March in March in greater than 33 million US dollars, but after decentralized exchange agency 1 -CC, his stolen funds were successfully reclaimed.
The losses against crypto fraud, heroic deeds and hacks were almost 1.53 billion US dollars in February. The attack of 1.4 billion US dollars on February 21 on Bybit of the North Korea's Lazarus Group formed the lion's share and took the title for the biggest crypto hack of all time, with the 650 million US dollar Ronin Bridge Hack in March 2022.
