Further digging into the attacker's address on Starknet:
0x04d7191dc8eac499bac710dd368706e3ce76c9945da52535de770d06ce7d3b26

Strongly correlated with the L1 address of the test record before the attack:

0xd95b3c1e638ce3cdc070ad6d4f385c61e2ee8662
0x93920786e0fda8496248c4447e2e082da69b6c40
0x34e5dc779cb705200e951239b6a89aaf5c7dbfc1

The traces correspond to the picture. There are indeed a lot of traces, but there is also a special discovery that is related to the hacking incident of EraLend that year (2023/7/25):
https://x.com/Era_Lend/status/1683897328938389505

I'm afraid the zkLend hackers are the ones who hacked EraLend back then. If that's the case, no wonder they left so many traces and acted so recklessly.

🚨 Update 

1/8 Our team is working tirelessly to address the situation and safeguard community interests. Here are the key updates:

EraLend | The #1 Money Market on zkSync🥇

Just because they use a cheap trick to make the user feel more secure doesn't mean the system underneath it isn't, in fact, secure (it doesn't mean it is secure either, it says nothing one way or another).