DeFi lending platform halts exploit and enables fund recovery
Venus Protocol, a leading decentralized finance (DeFi) lending platform, successfully recovered $13.5 million in stolen assets after a user fell victim to a phishing attack linked to North Korea’s Lazarus Group. The incident, which unfolded earlier this week, highlights both the risks of phishing exploits and the growing ability of DeFi platforms to respond rapidly.
Attack through a malicious Zoom client
According to Venus, the attackers tricked the victim, identified as Kuan Sun, into downloading a malicious Zoom client. This granted the perpetrators delegated control over the account, allowing them to borrow and redeem funds on the victim’s behalf. Within minutes, millions in stablecoins and wrapped assets were drained.
Emergency pause and governance vote
In response, Venus paused the protocol as a precaution, ensuring no further movement of funds. Security partners HExagate and Hypernative flagged the suspicious transaction quickly, prompting a community-driven emergency governance vote.
The vote authorized a forced liquidation of the attacker’s wallet, enabling the stolen tokens to be seized and sent to a recovery address. Venus confirmed that its smart contracts and front end remained uncompromised, easing concerns of systemic risk.
Swift recovery in under 12 hours
The recovery process was completed in less than 12 hours, an unusually fast resolution for a large-scale DeFi exploit.
Kuan Sun praised the collaborative response, stating:
“What could have been a total disaster turned into a battle we actually won, thanks to an incredible group of teams.”
In addition to Venus, industry players including PeckShield, Binance, and SlowMist contributed to the recovery.
Link to the Lazarus Group
Cybersecurity firm SlowMist conducted a detailed investigation, linking the phishing exploit to the Lazarus Group—a North Korean state-backed hacking collective notorious for major crypto heists. The group has been blamed for the $600 million Ronin Bridge exploit and the $1.5 billion Bybit hack.
Sun noted that SlowMist was “among the very first to point out that Lazarus was behind this attack.”
The incident underscores both the sophistication of phishing threats and the importance of rapid coordination between DeFi protocols and security partners. While Lazarus Group continues to target the crypto industry, Venus Protocol’s decisive action demonstrates that community governance and security networks can turn the tide against attackers.
Disclaimer
This content is for informational purposes only and does not constitute financial, investment, or legal advice. Cryptocurrency trading involves risk and may result in financial loss.