Blockchain security company CertiK has successfully blocked $160,000 of stolen funds from Merlin, a decentralized exchange based on zkSync that was the subject of a “rug pull” that saw users lose $1.8 million last week.

CertiK announced the freeze in a tweet to its 257,700 followers, adding that the company is continuing to monitor the movement of the stolen funds.

Despite an unsuccessful attempt to recover the funds in collaboration with Merlin, CertiK has reached out to law enforcement in the United States and the United Kingdom to identify the pseudonymous operators responsible for the scam. The firm believes the “rogue developers” are based in Europe.

CertiK identified a private key issue as the root cause of the scam, and attributed part of the blame to themselves for not properly informing users of the centralization risks.

In response, the company will improve the clarity of audit summaries in their reports, particularly around centralization risks, and work to better communicate the purpose of an audit to the community.

CertiK launched a $2 million compensation plan to cover the funds lost in the exit scam, and pledged to use the funds to prevent future exit scams and assist victims where possible.