Hacker wanted to launder stolen money through Tornado Cash - but got caught: minus $10 million
4,79
04-15-2025
4428
8 min.
A hacker wanted to launder stolen money through Tornado Cash - but became a victim himself. How did he lose $10 million to phishing and why did he admit it on the blockchain?
Get advice from AML Crypto experts
Stole 3,000 ETH — then lost it all. A hacker tried to cover his tracks through Tornado Cash, but ended up on a fake website. Millions were sent to a real smart contract, but the access to those funds is now lost forever. In despair, he left a farewell message directly on the blockchain.
Introduction
As decentralized finance and anonymous crypto tools grow in popularity, more attackers are using crypto mixers to hide the origins of stolen funds. One of the most well-known tools for this is Tornado Cash, which allows users to "break the link" between sender and receiver, making transactions nearly untraceable.
A crypto mixer is a service designed to provide anonymity for blockchain transactions. Its main function is to break the direct connection between sender and recipient, making it harder to trace the origin of cryptocurrency.
Here's how it works: a user deposits crypto into a shared pool where it's mixed with funds from others. Later, the user can withdraw their money to a new address, with no clear link to the original wallet. To do that, they need a unique secret code provided at deposit.
Decentralized mixers operate via smart contracts (e.g., Tornado Cash).
While mixers were initially created to enhance privacy, they're often used for laundering stolen assets. That’s why they face scrutiny or outright bans in many countries.
Here's how it works: a user deposits crypto into a shared pool where it's mixed with funds from others. Later, the user can withdraw their money to a new address, with no clear link to the original wallet. To do that, they need a unique secret code provided at deposit.
Decentralized mixers operate via smart contracts (e.g., Tornado Cash).
While mixers were initially created to enhance privacy, they're often used for laundering stolen assets. That’s why they face scrutiny or outright bans in many countries.
Even the most well-planned exploits can collapse due to human error — haste, overconfidence, or carelessness. That’s exactly what happened in early 2025, when a hacker trying to launder stolen crypto ended up becoming a victim himself, drawing the attention of the entire crypto community.
The hacker had stolen a large sum and attempted to anonymize it through Tornado Cash. But he accessed a fake website, indistinguishable from the real one, and deposited funds there. While the money did go into the real contract, he never received the secret withdrawal code. As a result, he lost access to everything.
At first glance, it might seem like just another crypto incident. But this case is symbolic: the one trying to hide stolen funds became a victim of other criminals, losing it all. In a way, he fell victim to his own methods.
The hacker had stolen a large sum and attempted to anonymize it through Tornado Cash. But he accessed a fake website, indistinguishable from the real one, and deposited funds there. While the money did go into the real contract, he never received the secret withdrawal code. As a result, he lost access to everything.
At first glance, it might seem like just another crypto incident. But this case is symbolic: the one trying to hide stolen funds became a victim of other criminals, losing it all. In a way, he fell victim to his own methods.
Main Part
From Theft to Total Loss
At first, the activity of address 0xD89B7236f4eA38a2AfC1d614Dc3De08A190f1Ff5 looked ordinary. It sent large sums of ETH into the Tornado Cash smart contract, following what seemed to be a typical anonymization pattern: deposit, wait, use the secret note, and withdraw to a clean address.
But this time, the operation failed completely. Not because of a technical error or a contract bug — but due to a much simpler problem: the hacker used a phishing site mimicking Tornado Cash.
The flow of funds can be seen in the graph below, which shows:
At first, the activity of address 0xD89B7236f4eA38a2AfC1d614Dc3De08A190f1Ff5 looked ordinary. It sent large sums of ETH into the Tornado Cash smart contract, following what seemed to be a typical anonymization pattern: deposit, wait, use the secret note, and withdraw to a clean address.
But this time, the operation failed completely. Not because of a technical error or a contract bug — but due to a much simpler problem: the hacker used a phishing site mimicking Tornado Cash.
The flow of funds can be seen in the graph below, which shows:
- the origin of the stolen ETH,
- the transfer into the Tornado Cash contract,
- and the final recipient of part of those funds.
Bholder connection graph showing the flow of cryptocurrency from the hacker to the Tornado Cash address.
A Fake Interface, a Real Contract, and Lost Millions
The hacker used a dApp that looked exactly like the official Tornado Cash interface. Such phishing dApps often interact with legitimate contracts but alter crucial functions — in this case, the note that proves ownership of the deposit.
This note is the only way to withdraw funds from Tornado Cash. If it’s not received or if it's fake, there is no way to prove deposit ownership — even though the crypto is in the contract.
That’s what happened here: the hacker sent 2,930 ETH (~$10 million) to the smart contract but did not receive a valid note due to the phishing front-end. Access to the funds was permanently lost.
The hacker used a dApp that looked exactly like the official Tornado Cash interface. Such phishing dApps often interact with legitimate contracts but alter crucial functions — in this case, the note that proves ownership of the deposit.
This note is the only way to withdraw funds from Tornado Cash. If it’s not received or if it's fake, there is no way to prove deposit ownership — even though the crypto is in the contract.
That’s what happened here: the hacker sent 2,930 ETH (~$10 million) to the smart contract but did not receive a valid note due to the phishing front-end. Access to the funds was permanently lost.
Blockchain Comments to the Hacker
Interestingly, the blockchain turned into a kind of chatroom. Hours after the incident, another user at address 0x914d73E3... jumped in with mocking on-chain messages:
Interestingly, the blockchain turned into a kind of chatroom. Hours after the incident, another user at address 0x914d73E3... jumped in with mocking on-chain messages:
zkLend hacker, don’t celebrate. You used a fake Tornado Cash link. Your note was harvested (safe-relayer.eth), and all the funds are now at 0xf9effa7d38a9aa9e5ecc725666cbf04014431ad.
And then:
You entered a fake Tornado Cash URL, and the note was captured by safe-relayer.eth.
Whoever wrote that — white hat, competitor, or opportunist — delivered the final blow. No ETH, no redemption, just public humiliation.
A Public Apology On-Chain
Realizing the loss, the hacker did something rare: he posted a public apology directly on-chain, addressed to zkLend, the project he allegedly attacked:
Hello. I tried to send the funds to Tornado but used a phishing site and lost everything. I am in despair. I'm deeply sorry for all the damage caused. The 2,930 ETH is now gone to the owners of that site. I have no tokens left. Please focus your efforts on them. This will be my last message. I’d rather end it all. Again, I apologize.
That on-chain message became a kind of digital confession. Proof that even in the most anonymous systems, emotion and error go hand in hand.
Response From zkLend
A short, cold reply soon followed from a zkLend-linked address:
A short, cold reply soon followed from a zkLend-linked address:
Return all remaining funds to this address.
A symbolic response — possibly knowing there was nothing left to return. It marked the end of the dialogue.
A fragment of a hacker's public appeal after a failed attempt to launder funds through a phishing site. He reports the loss of more than 2900 ETH and asks to redirect efforts to finding the owners of the fake interface. Source: https://etherscan.io/idm?addresses=0xd89b7236f4ea38a2afc1d614dc3de08a190f1ff5,0xcf31e1b97790afd681723fa1398c5ead9f69b98c&type=1.
Chronology of the hacker's correspondence with a blockchain user as well as with zkLend.
Main Part (Continued)
How DeFi Phishing Works: Real Contracts, Fake UIs
One unique aspect of decentralized apps (dApps) is that their frontend (interface) is separate from the logic. Users interact with websites that connect to contracts, but the website itself can be malicious. This creates an ideal attack surface for phishing in DeFi.
In this case, the hacker likely used the real Tornado Cash contract but accessed it via a fake site. These sites:
One unique aspect of decentralized apps (dApps) is that their frontend (interface) is separate from the logic. Users interact with websites that connect to contracts, but the website itself can be malicious. This creates an ideal attack surface for phishing in DeFi.
In this case, the hacker likely used the real Tornado Cash contract but accessed it via a fake site. These sites:
connect wallets properly,
replicate UI elements faithfully,
send real transactions,
but fail to generate or display a valid note (or display a fake one).
Since Tornado Cash contracts do not store any link between the deposit and the sender, the note is the only key to withdraw. No note — no access.
This wasn't a flaw in Tornado Cash, but in the user's actions. The contract worked as intended — the attacker simply used a poisoned interface.
This wasn't a flaw in Tornado Cash, but in the user's actions. The contract worked as intended — the attacker simply used a poisoned interface.
Note: The screenshot of the Tornado Cash interface is presented in the article solely to explain the technical part of the incident. We do not promote the use of such tools and publish the image only in the context of analyzing a specific situation.
Takeaways: The Blockchain Remembers Everything
This story reads like a cautionary tale: a hacker loses millions due to a basic phishing trap. But beyond the irony, there are a few key lessons:
1
Smart contracts don’t protect against fake interfaces.
2
No amount of stolen funds makes you immune to human error.
3
Phishing in Web3 is evolving — and even criminals fall for it.
4
The blockchain records everything, including regrets.
The loss of 2,930 ETH isn’t just a technical failure. It reflects a world where privacy and security depend on user behavior, and where justice isn’t always legal — sometimes it’s just... poetic.
Final Note: A Mistake Etched in Code
This wasn’t just a heist gone wrong — it was a reminder that even in a world built on logic, the weakest link is still human.
A skilled attacker, capable of breaching protocols, lost it all to a fake link. No confirmation, no double-checking, no fallback.
He trusted anonymity to cover his tracks — but that same desire led him into a trap.
In the end, all that remained was a message on the blockchain: an apology, a plea, a digital moment of failure.
There were no arrests, no lawsuits — just one irreversible transaction. And silence.
A skilled attacker, capable of breaching protocols, lost it all to a fake link. No confirmation, no double-checking, no fallback.
He trusted anonymity to cover his tracks — but that same desire led him into a trap.
In the end, all that remained was a message on the blockchain: an apology, a plea, a digital moment of failure.
There were no arrests, no lawsuits — just one irreversible transaction. And silence.
Want to learn more and get expert advice? Leave your email and we will contact you promptly!
Check blockchain address using Btrace
In seconds, determine the risk level of the counterparty’s address, find out the source of his funds and make an informed decision about interacting with him.
PREVENT FUNDS BLOCKING
PROTECT YOURSELF FROM SCAMMERS
AVOID TROUBLE WITH THE LAW
We also recommend