Venus Protocol announced the recovery of $13.5 million in stolen funds after a phishing attack linked to the Lazarus Group. The incident happened on Tuesday, leading the DeFi lending platform to pause operations. The pause prevented further fund movements and allowed audits to confirm the protocol’s systems remained uncompromised.
The victim, Kuan Sun, expressed gratitude to the teams involved. He said,
“What could have been a total disaster turned into a battle we actually won, thanks to an incredible group of teams.”
Emergency Governance Vote Enabled Recovery
The emergency governance vote became the turning point in the $13.5M recovery. Community members approved the liquidation of the attacker’s wallet, which ensured the stolen assets could no longer be used or moved. The decision provided a direct path to securing the stolen crypto.
Security partners HExagate and Hypernative detected suspicious activity within minutes of the phishing exploit. Their alerts led Venus Protocol to immediately pause the platform and begin an investigation.
The recovery process concluded in less than 12 hours, according to Venus Protocol. Additional assistance came from PeckShield, Binance, and SlowMist, who helped ensure that recovered tokens were safely returned.
Phishing Attack Used Malicious Zoom Client
In its post-mortem, Venus Protocol explained the execution of the phishing attack. The attackers installed a malicious Zoom client and tricked the victim into granting delegated control over the account. With this access, the attackers borrowed and redeemed assets on the victim’s behalf, draining millions in stablecoins and wrapped assets.
The attackers did not exploit a smart contract flaw. Instead, they directly accessed the victim’s account during the phishing incident. Audits confirmed that Venus Protocol’s smart contracts and front end remained secure.
By bypassing protocol security, the attackers highlighted the risks associated with phishing attacks in DeFi. The method allowed them to operate without directly compromising Venus Protocol’s systems.
Lazarus Group Linked to the Phishing Attack
Blockchain security firm SlowMist linked the phishing attack to the Lazarus Group, a North Korea-backed collective. The group is known for major crypto thefts, including the $600 million Ronin bridge hack and the $1.5 billion Bybit exploit.
SlowMist carried out detailed analysis that connected the phishing exploit to the group. According to Kuan Sun, the firm was “among the very first to point out that Lazarus was behind this attack.”
The identification of the Lazarus Group emphasizes the global nature of crypto phishing threats. The group, believed to operate under North Korea’s intelligence agency, continues to target DeFi platforms and users worldwide.