{"id":46967,"date":"2025-09-04T20:54:18","date_gmt":"2025-09-04T13:54:18","guid":{"rendered":"https:\/\/hbbgroup.net\/venus-protocol-recovers-users-13-5m-stolen-in-phishing-attack\/"},"modified":"2025-09-04T20:54:18","modified_gmt":"2025-09-04T13:54:18","slug":"venus-protocol-recovers-users-13-5m-stolen-in-phishing-attack","status":"publish","type":"post","link":"https:\/\/hbbgroup.net\/zh\/venus-protocol-recovers-users-13-5m-stolen-in-phishing-attack\/","title":{"rendered":"Venus Protocol recovers user\u2019s $13.5M stolen in phishing attack"},"content":{"rendered":"
\n
\n

Victim Kuan Sun praised Venus and partners after $13.5M recovery, calling it \u201ca battle we actually won\u201d through joint efforts. <\/p>\n

\"Venus<\/picture><\/div>\n
\n
\n

Decentralized finance (DeFi) lending platform Venus Protocol helped a user recover stolen crypto following a phishing attack tied to North Korea\u2019s Lazarus Group.\u00a0<\/p>\n

On Thursday, Venus Protocol announced<\/a> that it had helped a user recover $13.5 million in crypto after the phishing incident that occurred on Tuesday<\/a>. At the time, Venus Protocol paused the platform as a precautionary measure and began investigating.\u00a0<\/p>\n

According to Venus, the pause halted further fund movement, while audits confirmed Venus\u2019 smart contracts and front end were uncompromised.<\/p>\n

Emergency vote enables fund recovery<\/h2>\n

An emergency governance vote allowed the forced liquidation of the attacker\u2019s wallet, enabling stolen tokens to be seized and sent to a recovery address.\u00a0<\/p>\n

Source: <\/em>Kuan Sun<\/em><\/a><\/figcaption><\/figure>\n

Attackers exploited a malicious Zoom client<\/h2>\n

In the post-mortem, Venus revealed that the attackers used a malicious Zoom client to trick the victim into granting delegated control over the account. <\/p>\n

This allowed the perpetrators to borrow and redeem on the victim\u2019s behalf, enabling them to drain millions in stablecoins and wrapped assets.\u00a0<\/p>\n

The protocol\u2019s security partners, HExagate and Hypernative, flagged the suspicious transaction within minutes, leading to the decision to pause the protocol. According to Venus, the recovery process unfolded in less than 12 hours.\u00a0<\/p>\n

Kuan Sun, who was identified as the victim of the attack, thanked<\/a> the teams behind the recovery. \u201cWhat could have been a total disaster turned into a battle we actually won, thanks to an incredible group of teams,\u201d Sun wrote.<\/p>\n

PeckShield, Binance, and SlowMist also assisted in the recovery.<\/p>\n

Related: <\/strong><\/em>WLFI blocks hacking attempts with onchain blacklisting<\/strong><\/em><\/a><\/p>\n

Phishing attack linked to the Lazarus Group<\/h2>\n

SlowMist\u2019s analysis linked the attack to the Lazarus Group, a North Korea-backed collective blamed for major crypto heists, including the $600M Ronin bridge exploit and the $1.5B Bybit hack. <\/p>\n

Sun said SlowMist carried out extensive analysis work and was \u201camong the very first to point out that Lazarus was behind this attack.\u201d<\/p>\n

The Lazarus Group<\/a> is a North Korea-linked hacking collective believed to operate under the country\u2019s intelligence agency. <\/p>\n