Update (Feb. 12, 11:23 am UTC): This article has been updated to include the latest figures from the ongoing exploit.
Update (Feb. 13,4:19 am UTC): The headline has been updated to remove Starknet for clarity.
ZkLend was hacked for almost $10 million, marking a resurgence in crypto exploits after a January downturn.
Decentralized money lending protocol zkLend was exploited on the Starknet network for $9.5 million on Feb. 12, according to blockchain security firm Cyvers.
“zkLend has suffered a $9.5 million exploit on the Starknet network. Stolen funds were bridged to Ethereum and laundered via Railgun, but due to protocol policies, the funds were returned to the original address by Railgun!” Cyvers wrote.
Source: Cyvers Alerts
Following the exploit, zkLend offered 10% of the funds as a bounty and release from “any and all liabilities,” if the attacker were to return the remaining funds:
“We understand that you are responsible for today’s attack on zkLend. You may keep 10% of the funds as a whitehat bounty, and send back the remaining 90%, or 3,300 ETH to be exact [...]”
“We are working with security firms and law enforcement at this stage. If we do not hear from you by 00:00 UTC, 14th Feb 2025, we will proceed with the next steps to track and prosecute you,” the firm added.
Source: zkLend
While crypto hacks saw a 44% year-over-year decrease in January 2025, the year’s first month still resulted in more than $73 million stolen.
Security experts fear another multibillion-dollar hacking year, considering that attackers stole $2.3 billion across 165 incidents in 2024, a 40% increase over 2023 when $1.69 billion worth of crypto was stolen.
Related: BNB Chain memecoin platform Four.Meme hit by $183K exploit
Some hacks have a happy ending
Some malicious hackers have a change of heart after stealing tens of millions in crypto and receiving widespread investigative attention.
In May 2024, $71 million worth of stolen cryptocurrencies from a wallet poisoning scam was returned to the victim in a fortunate but mysterious turn of events.
The unknown attacker returned $71 million worth of Ether (ETH) tokens after the high-profile phishing incident caught the attention of multiple blockchain investigation firms.
That came as a surprising development after the attack, when an investor sent $71 million worth of Wrapped Bitcoin to a bait wallet address, falling victim to a wallet poisoning scam. The scammer created a wallet address with similar alphanumeric characters and made a small transaction to the victim’s account.
Related: Ethereum short positions surge 500% as hedge funds bet on decline
Blockchain security firms like Cyvers are working on pre-emptive measures to stock cryptocurrency exploits.
An emerging solution, known as offchain transaction validation, could prevent 99% of all crypto hacks and scams by preemptively simulating and validating blockchain transactions in an offchain environment, Michael Pearl, vice president of GTM strategy at Cyvers, told Cointelegraph.
Magazine: Trump’s crypto ventures raise conflict of interest, insider trading questions