The protocol’s founder, "Xatarrer," pleaded with the attacker to return most of the stolen funds, and offered them $100,000 as a reward. Meanwhile, the hacker behind zkLend’s $9.6 million February exploit revealed that they lost a huge amount of the stolen funds to a phishing scam while attempting to launder them. Despite an earlier offer from zkLend to let the attacker keep 10% of the stolen funds in exchange for the return of the rest, the hacker never responded.
SIR.trading Founder Offers Hacker a Deal
Decentralized finance protocol SIR.trading was left reeling after a $355,000 hack drained the platform’s entire total value locked on March 30. In a desperate attempt to salvage the protocol and its community, SIR.trading’s pseudonymous founder, known as "Xatarrer," shared an emotional on-chain message to the attacker, asking for the return of the majority of the stolen funds.
Part of Xatarre’s on-chain message to the hacker
Xatarrer proposed that the hacker keep $100,000 as a reward for discovering the vulnerability but return the remaining amount. He also pointed out that without the recovery of the funds, the project will not survive.
The founder shared that SIR.trading was built over four years without venture capital funding, and was supported only by $70,000 from friends and believers. The platform organically grew to $400,000 in total value locked without any advertising.
Xatarrer also acknowledged the sophistication of the attack, and called the exploit “almost beautiful” if it weren’t for the financial losses suffered by users. Despite their appeal, the attacker has not responded yet, and already transferred the stolen funds through Ethereum privacy protocol Railgun, according to blockchain data.
The exploit stemmed from a vulnerability in SIR.trading’s vault contract, specifically linked to Ethereum’s transient storage feature that was introduced in the March 2024 Dencun upgrade. The attacker manipulated a callback function in the protocol by replacing the Uniswap pool address with one they controlled. This allowed them to repeatedly drain the vault by exploiting the callback function until all of the funds were siphoned off.
While SIR.trading initially announced its intention to continue operations and compensate the affected users, the founder’s recent plea suggests that the platform’s future now hinges on the attacker’s decision.
This incident only adds to the growing list of crypto-related exploits and scams. March alone saw losses of $28.8 million, according to blockchain security firm CertiK. The figure was partially offset by the return of $4.8 million in stolen funds from the 1inch Resolver incident. However, the industry is also still recovering from a very brutal February, which included the staggering $1.4 billion Bybit hack.
North Korean Crypto Hacks Surge
Unfortunately, North Korean cyberattacks targeting the cryptocurrency industry are also becoming increasingly sophisticated, with more groups now participating in these operations. This is according to a new report from crypto firm Paradigm titled “Demystifying the North Korean Threat.”
The report outlines a wide range of attack strategies that are used by North Korean hackers, including direct assaults on crypto exchanges, phishing schemes, social engineering tactics, and complex supply chain hijacks. Some of these attacks reportedly take as long as a year to execute, with operatives patiently waiting to strike at just the right moment.
The United Nations estimates that between 2017 and 2023, North Korean cyberattacks on the crypto sector generated approximately $3 billion in stolen funds. That figure surged in recent years, with attacks in 2024 and 2025 alone adding around $1.7 billion to North Korea's coffers.
(Source: The Soufan Center)
Paradigm’s report identifies at least five distinct North Korean hacker groups responsible for these operations: Lazarus Group, Spinout, AppleJeus, Dangerous Password, and TraitorTrader. Additionally, the report shed some light on a network of North Korean operatives posing as IT workers, who infiltrate global tech companies to help their cyberwarfare objectives.
The Lazarus Group is still the most notorious among these groups, as they executed some of the most high-profile cyberattacks since 2016. Beyond targeting cryptocurrency platforms, the group is also linked to the 2016 Sony hack, the Bangladesh Bank cyberheist, and the 2017 WannaCry ransomware attack. Additionally, Lazarus Group was behind the 2017 hacks of Youbit and Bithumb, the massive 2022 Ronin Bridge exploit, and the 2025 Bybit hack in which close to $1.5 billion was stolen. The group is also suspected of being involved in some Solana meme coin scams.
Paradigm’s report shared specific details about how North Korean hackers typically launder their stolen crypto assets. After securing funds, they fragment the amounts into smaller transactions, moving them across numerous wallets to obscure their origin. They often swap illiquid tokens for more liquid cryptocurrencies and eventually convert most of the stolen value to Bitcoin. Once laundered, the funds are usually left dormant for extended periods until law enforcement scrutiny subsides.
The FBI identified three alleged Lazarus Group members and accused them of cybercrimes. In 2021, the US Justice Department indicted two of these individuals, and charged them with their role in a global network of cyberattacks and financial crimes.
zkLend Hacker Loses Millions
Meanwhile, the hacker responsible for the $9.6 million exploit of decentralized money-lending protocol zkLend in February claims to have lost a big portion of the stolen funds after falling victim to a phishing scam. In an on-chain message sent to zkLend on March 31, the hacker said they mistakenly interacted with a fake Tornado Cash website. This resulted in the loss of 2,930 ETH, worth approximately $5.4 million. The hacker explained that while trying to launder the stolen funds through Tornado Cash, they used a phishing site and lost almost everything to the scam operators.
Hacker’s on-chain message to zkLend
After the incident, the hacker sent multiple transactions of 100 ETH each, finishing with three smaller deposits of 10 ETH, all directed to an address labeled Tornado.Cash: Router. They expressed that remorse in their message, and said that they were devastated. They even apologized for the chaos caused by the initial exploit. They also urged zkLend to direct their recovery efforts toward the phishing site owners.
In response, zkLend requested the hacker to return any remaining funds still in their wallets. However, blockchain data showed that after the message, the hacker transferred an additional 25 ETH to a wallet identified as Chainflip1, which only further reduced the chances of recovering the stolen assets.
The exploit on zkLend took place on Feb. 11 when the attacker used a combination of small deposits and flash loans to manipulate the lending accumulator. This allowed them to repeatedly deposit and withdraw funds by taking advantage of rounding errors that became significant because of the inflated accumulator value. The stolen funds were later bridged to Ethereum, and an attempt to launder them through privacy protocol Railgun failed after the protocol returned the assets to the original address.
After the attack, zkLend offered the hacker a deal to keep 10% of the stolen funds as a bounty in exchange for returning the rest and avoiding legal action. However, the hacker did not respond by the Feb. 14 deadline. On Feb. 19, zkLend announced a $500,000 reward for any verifiable information leading to the hacker’s arrest and the recovery of the stolen funds.
