ZkLend Offers Bounty to Hacker After Losing Almost $5M in Exploit

The past week already saw a wave of new cyber-related incidents that affected both the crypto and cybersecurity sectors. This included the hack zkLend, but also the meme token launch platform Four.Meme, which lost $183,000 in an exploit. This happened after the very hostile launch of the Test (TST) token. On the regulatory front, the US, UK, and Australia sanctioned Russia-based Zservers for allegedly facilitating ransomware payments for LockBit.

ZkLend Loses Millions in Exploit

The decentralized money lending protocol zkLend fell victim to a $4.9 million exploit on the Starknet network. Blockchain security firm Cyvers reported that the stolen funds were bridged to Ethereum and laundered through Railgun. However, due to Railgun’s protocol policies, the funds were eventually returned to the original address.

After the exploit, zkLend made an offer to the attacker by proposing that they keep 10% of the stolen funds as a whitehat bounty in exchange for returning the remaining amount. The protocol also warned that if the attacker did not comply by Feb. 14, law enforcement and security firms will start tracking and prosecution efforts.

Despite a sizable 44% decrease in crypto hacks year-over-year in January, cybercriminals still managed to steal more than $73 million in the month alone. Considering the fact that 2024 saw $2.3 billion lost across 165 incidents, which was a 40% rise from 2023, security experts are increasingly concerned that 2025 may see another multibillion-dollar year of exploits.

While most hacks result in financial losses, there have been some rare instances where attackers return the stolen funds. In May of 2024, a hacker who carried out a $71 million wallet poisoning scam unexpectedly returned the stolen Ethereum. The fact that it was a very high profile case, along with the involvement of multiple blockchain investigation firms, very likely influenced the decision to return the funds. The scam involved tricking an investor into sending Wrapped Bitcoin to a fake wallet address that closely resembled a legitimate one.

Blockchain security firms like Cyvers are actively working on ways to mitigate the risk of future exploits. One promising approach is off-chain transaction validation, which is a mechanism that simulates and verifies blockchain transactions in an offchain environment before they are executed. According to Michael Pearl, vice president of GTM strategy at Cyvers, this method could potentially prevent 99% of all crypto hacks and scams.

Four.Meme Also Loses Thousands in Crypto Attack

The BNB Chain-based meme coin launch platform Four.Meme also recently fell victim to a security breach after  hackers exploited vulnerabilities to drain liquidity from meme tokens. The attack happened on Feb. 11, and prompted an immediate response from the Four.Meme team, who assured users that internal funds remained safe and unaffected. However, according to blockchain security firm PeckShield, the exploit still resulted in the loss of approximately $183,000 worth of digital assets.

The incident happened at a time when Four.Meme has received a lot of attention in the crypto space after the surge and subsequent drop of the Test (TST) token. The TST token briefly peaked at a market cap of $489 million on Feb. 9 before experiencing a sharp decline of over 50%, according to data from CoinMarketCap. 

The token first came to public attention after being momentarily displayed in a BNB Chain tutorial video about  the Four.Meme platform. While the token was only meant for testing purposes, its brief exposure led to a wave of speculative buying that was driven by China-based influencer communities.

TST market cap over the past 24 hours (Source: CoinMarketCap)

Despite Binance’s former CEO Changpeng Zhao clarifying that the video was not an endorsement, the market frenzy around TST continued. Zhao later acknowledged that Binance’s token listing process had some serious flaws due to how decentralized exchange traders leveraged arbitrage opportunities that ultimately contributed to poor token performance post-listing. In an effort to bring more transparency to the process, Binance co-founder Yi He later shared more details about the main criteria for token listings, which places a lot more emphasis on a token’s potential return on investment, ability to drive innovation, and performance on other exchanges.

While the financial loss in this case was relatively small compared to other larger exploits, the incident proves that there is very much still a need for stronger security measures in the meme token ecosystem.

US, UK, and Australia Sanction Zservers

Authorities in the United States, Australia, and the United Kingdom sanctioned Russia-based bulletproof hosting provider Zservers for allegedly supplying services to the LockBit ransomware gang. The sanctions were announced on Feb. 11, and include asset freezes on Zservers and its UK-based front company, XHOST Internet Solutions LP, as well as travel bans and asset freezes for six individuals. The US Treasury’s Office of Foreign Assets Control (OFAC) and the UK’s Foreign Office stated that bulletproof hosting providers like Zservers make it possible for cybercriminals to mask their locations, identities, and activities online, which helps facilitate attacks on critical infrastructure.

LockBit has been linked to billions of dollars in damages worldwide, including attacks on Australia’s Medibank and the Industrial Commercial Bank of China US. The ransomware group encrypts victims’ files and demands cryptocurrency payments in exchange for restoration or to prevent data leaks. In February of 2024, authorities from 10 countries launched a coordinated effort to disrupt the group’s operations.

Two of the six sanctioned individuals, Russian nationals Alexander Igorevich Mishin and Aleksandr Sergeyevich Bolshakov, were identified as Zservers administrators involved in facilitating LockBit’s crypto transactions. Blockchain analytics firm Chainalysis revealed that Mishin and three other wallets linked to Zservers have now been placed on OFAC’s Specially Designated Nationals list, restricting their access to the global financial system.

Zservers’ on-chain activity indicates it received funds from various ransomware affiliates, not just LockBit, and that it cashed out proceeds through sanctioned Russian-based exchange Garantex and other platforms with lax Know Your Customer enforcement. Chainalysis also reported that Zservers processed at least $5.2 million in on-chain transactions connected to high-risk entities.

OFAC previously targeted crypto-related entities with sanctions, including the addition of 44 Tornado Cash smart contract addresses in 2022 after alleging that they were used to launder more than $7 billion. 

Zservers’ on-chain activities (Source: Chainalysis)

Zservers’ website claims to offer servers in multiple countries, including the US, Russia, Bulgaria, the Netherlands, and Finland, along with technical support and custom configurations. However, its alleged role in facilitating cybercrime has placed it under intense scrutiny. 

LockBit first appeared in September of 2019, and is believed to have extorted up to $1 billion through more than 7,000 attacks between June of 2022 and February of 2024.