DeFi Platform Thwarts North Korean Hackers in 12-Hour Crypto Showdown

Venus Protocol, a decentralized finance (DeFi) lending platform, successfully recovered $13.5 million in stolen cryptocurrency within 12 hours after a phishing attack attributed to North Korea’s Lazarus Group. The incident unfolded when an attacker used a malicious ZoomZM-- client to deceive user Kuan Sun into granting delegated control over his account, enabling the unauthorized draining of stablecoins and wrapped assets. The attack was detected within minutes by security firms HExagate and Hypernative, prompting Venus Protocol to halt platform operations as a precaution.

The emergency response included an emergency governance vote, a process that allowed platform stakeholders to authorize the forced liquidation of the attacker’s wallet. This action redirected the stolen funds to a secure recovery address. The swift intervention prevented further losses and demonstrated the platform's capacity to respond effectively to cyber threats. Venus Protocol confirmed that its smart contracts and user interface remained secure throughout the incident, with no compromise to its core infrastructure during post-incident audits.

Kuan Sun, the victim of the attack, expressed gratitude for the collaborative efforts of multiple organizations, including PeckShield, BinanceETH--, and SlowMist, which played key roles in tracking and reclaiming the assets. SlowMist’s forensic analysis confirmed the attack's connection to the Lazarus Group, a state-sponsored hacking collective known for its involvement in high-profile cryptocurrency thefts, including the $600 million Ronin bridge exploit and the $1.5 billion Bybit exchange hack. Lazarus Group’s tactics often involve social engineering rather than exploiting technical vulnerabilities, a method that allows them to bypass traditional security measures.

The attack on Venus Protocol highlights the growing sophistication of cyber threats targeting the DeFi sector. Unlike traditional banking systems, DeFi platforms operate through smart contracts and rely on user-driven governance mechanisms for decision-making. The use of emergency governance votes in this case enabled a rapid and coordinated response that mitigated potential losses. Additionally, the incident underscores the broader challenge of phishing scams in the cryptocurrency space, particularly those involving social engineering and malicious software.

The recovery of $13.5 million stands in contrast to the broader trends in crypto phishing losses. ScamSniffer’s August 2025 report noted a 72% increase in funds lost to phishing scams compared to the previous month, with a total of $12.17 million reported. The report also highlighted a 67% increase in the number of victims, with 15,230 users affected in August. EIP-7702 batch-signature scams accounted for a significant portion of these losses, with attackers exploiting vulnerabilities introduced by EthereumETH-- upgrades to conduct unauthorized transfers. This type of scam, which disguises malicious activity as legitimate UniswapUNI-- transactions, is becoming more prevalent and poses a growing risk to DeFi users.

The incident also underscores the importance of collaboration in the DeFi ecosystem. Multiple firms, including security providers and exchange partners, contributed to the successful recovery of the stolen funds. Their combined efforts reflect the evolving nature of security practices in the blockchain industry, where rapid response and information sharing are essential in countering sophisticated cyber threats.

Source:

[1] Venus Recovers $13.5 Million From Lazarus-Linked Phishing Attack (https://unchainedcrypto.com/venus-recovers-13-5-million-from-lazarus-linked-phishing-attack)

[2] Phishing scams surge in August 2025 with number of victims reaching record high (https://www.mitrade.com/au/insights/news/live-news/article-3-1101819-20250907)

[3] Venus Protocol user suffers $13.5M loss from phishing attack (https://cointelegraph.com/news/defi-trader-loses-27m-phishing-scam-venus-protocol-pauses)