On September 2, 2025, a user of the Venus Protocols Victim of a sophisticated phishing attack. The incident initially resulted in a loss of around 13 million US dollars, but was largely reversed thanks to a quick response from the Venus team and several security partners.
The attack: social engineering, deepfakes and manipulated plugins
After analyzing the incident, it emerged that it was a deliberately planned social engineering campaign. The attackers, who are believed to be affiliated with the North Korean hacker group Lazarus, combined various methods such as phishing, deepfake technology, and the use of malware. A manipulated Zoom link lured the victim into a fake meeting in which a deceptively real-looking message appeared, requesting an alleged "upgrade" of the microphone. Clicking on this request unnoticed installed a malicious browser plugin that imitated a well-known wallet extension. This tricked the victim into signing a malicious transaction that granted the perpetrators extensive access to the wallet. The attackers then used these permissions to borrow funds from the victim's account and immediately redirect them to their own wallet.
Special features of the attack
The attack was highly targetedThe attackers analyzed the victim's wallet structure in detail and tailored the attack precisely to their positions in the Venus Protocol. Evidence suggests that Deepfake videos were used to make fake identities appear credible.
Another feature: Despite using a Hardware wallet The attack was successful. The reason was the manipulation of the frontend, which caused the victim to sign correctly but unknowingly confirm a malicious transaction.
The reaction: Rapid intervention saves millions
Immediately after the incident became known, the victim informed the security company PeckShield, which immediately established contact with the Venus team.
The developers of Venus reacted decisively. The protocol was temporarily pausedto prevent further damage. As part of the measures taken, the Attacker's account forcibly liquidatedso that the previously stolen funds could be recovered and credited to the victim.
In addition to Venus and PeckShield, partners such as Binance, Chaos Labs, Hexagate, Hypernative Labs, and SlowMist involved in emergency measures.
Important safety measures
The case illustrates how advanced hacker groups like Lazarus have become in their attack methods. What is particularly critical is that even experienced users with hardware wallets are no longer automatically protected if the Frontend compromised is.
It is recommended sensitive meetings not above zoom because the platform has been abused several times for social engineering attacks. Plugins and wallets exclusively from official sources installed – never via pop-ups or external links. A healthy amount of skepticism is also appropriate for "semi-familiar" contacts, as attackers deliberately use people who do not appear completely unknown, but who are also not part of their close circle. Hardware wallets remains useful, but requires special attention to each individual transaction.
Conclusion
The phishing attack on the Venus Protocol impressively demonstrates how professional and technically sophisticated hacker groups have become. The recovery of the stolen funds is a rare exception and only thanks to the coordinated actions of several security teams.
The most important finding: Technical security alone is not enoughHuman factors such as trust, routine, and carelessness remain the gateway for attacks – making social engineering the biggest threat in the DeFi space.
