Zero To Tiny

The team didn't get hacked. They migrated.

ZeroLend was never a lending protocol. It was a vessel. The founders copied technical assets from Radiant Capital — itself later rekt for $53M in October 2024 — wrapped them in marketing, filled the system with mercenary TVL, then drained it. When the heat came, they didn't fix it. They stayed silent for sixteen months, extracted what was left, promised compensation they never delivered, and moved to a new project called TinyHumans. This is the playbook, and we have every transaction.

So who's really running the con — the hacker, or the team that built the door and left it unlocked?

Déjà Vu in Eighteen Days

May 11, 2024: Blast chain, $5.5M, same PT-LBTC oracle manipulation. PeckShield flagged it. The team responded — paused the market, offered a 10% bounty, commissioned audits. They knew the vulnerability class.

Eighteen days before that, the same flaw was already live on Base. They never patched Base.

If you discover your front-door lock is broken, do you leave the back door the same way?

The Audit Salad

ZeroLend forked Radiant Capital — an Aave v3 derivative built for cross-chain. DeFiLlama's adapter for ZeroLend is literally aave.ts. The audit logos on the site (Mundus, Quill, Halborn) were camouflage while the protocol ran insolvent.

You don't hire three auditors to prove you're safe. You hire three auditors to look safe.

And when the logos start mattering more than the code, who's the auditor really working for?

February 23, 2025 — Zero To Lend

0x218C572b1Ab6065D74bEbcB708a3f523D14F7719. Fresh wallet, funded that day via Railgun. 38.81 ETH in, 35.58 ETH through Pendle/Odos to acquire PT-LBTC collateral, then three borrows in 45 minutes — 0.953 LBTC, 1.477 LBTC, 1.493 LBTC. 3.92 LBTC. ~$371K. Gone through Aerodrome, Across, and into Hyperliquid before anyone could blink.

Who times a forty-five-minute heist on a wallet they minted that morning, with capital routed through a privacy pool, unless they already knew the door was unlocked?

The Zombie Market

The market stayed open. For sixteen months. The deposit UI accepted new funds while the protocol was insolvent. Discord moderators told users the issue was "high utilization," "maintenance," a "UI issue." The ACLManager's last transaction was October 1, 2024. No setReserveFreeze. No setBorrowCap. No pause.

A protocol that's been drained but keeps the deposit button lit — is that really negligence, or is that the business?

The Silent Extraction

April 27, 2025 — two months after the exploit — a Gnosis Safe appears: 0x0f2876396a71fe09a175d97f83744377be9b6363. Created by capstack.eth(0x3fB00C...7558), funded from a Binance KYC account.

The Safe deposited 0.494 LBTC on June 21, 2025 — the only post-exploit depositor — then extracted 0.766 LBTC via Chainlink CCIP, automated by Gelato, while the team publicly said they were "working diligently to trace and recover funds." $291K moved.

Working diligently — with a stopwatch and a bridge.

The Empty Promise

February 16–17, 2026. Under shutdown pressure, the team announced "partial refunds" to Base LBTC depositors, funded by a Linea airdrop allocation. One hundred and twenty-six days later: zero victims received anything. On-chain, 71.8% of the ZERO token went to ten concentrated wallets. 1.4% showed any victim-compensation pattern.

The token itself had collapsed 94.7% from its TGE-day ATH — $0.001229 to $0.0000658 — so even the promised compensation was denominated in dust.

A promise made in a dead token, to people you'd already robbed, on a timeline you never started.

Enamakel = Deadshotryker

Old databases listed two founders: Steven Enamakel and Deadshot Ryker. They are one person. We have the proofs and the pictures. Enamakel — @senamakel on X, senamakel on GitHub, "Creator @ ZeroLend" on LinkedIn — controlled 97% of the ZERO supply from a single wallet (0x9FA7...429e) while marketing the protocol as "decentralized."

He held the deployer keys across ten chains (0x0F6e98...289d). He never transferred governance to the community.

Two founders, one man, and a 97% lie.

Zero To Tiny

The team didn't disappear. They relocated. @tinyhumansai / OpenHuman is Steven Enamakel's new project — "Chef Buildooor @tinyhumansai" reads his X bio today. Same pattern, new label.

This is what bad actors cost the entire industry: every silent exit scam, every drained-then-abandoned protocol, every "decentralized" lie erodes the trust that legitimate builders depend on. When founders can drain their own protocol, hide for sixteen months, and launch a fresh "AI" project the next week, the reputational damage is paid by everyone in DeFi — not just the users who lost money.

The victims of the next version of this team haven't deposited yet.

The Authorities Are Listening

This is not a vigilante post. The on-chain trail is preserved, timestamped, and verifiable on public block explorers. Law enforcement in the United States, in Dubai (UAE), in Canada, and in India have been contacted and are taking the matter seriously.

The Binance KYC trail to capstack.eth is the single highest-value lead. The Linea allocation ledger, the Discord archive, the deployer hierarchy — all subpoena-ready.

The blockchain remembers. Now the authorities do too.

Credits

Sources: rekt.news, CoinDesk (Omkar Godbole, 2026-02-17), The Block, Basescan, Etherscan, Arbiscan, Lineascan, DeFiLlama, CoinGecko, GitHub (zerolend org), Discord archive, PeckShield (May 2024). Compiled by an independent forensic researcher. REKT serves as a public platform for anonymous authors.