Venus Halts Services after Whale Loses $13.5M in Phishing Attack

Key Insights:

• Venus Protocol whale lost $13.5 million through a sophisticated phishing attack on Sept. 1.
• The attacker gained borrowing and redemption authorization through a compromised wallet extension.
• The protocol paused operations to prevent the hacker from accessing remaining funds.

A BNB-based Venus Protocol whale lost approximately $13.5 million after falling victim to a sophisticated phishing attack that compromised the user’s positions on Sept. 1 at 3:26 PM UTC, according to on-chain data and security firm reports.

The attack prompted Venus Protocol to pause operations immediately after the incident was discovered. The protocol confirmed the smart contract remained secure while investigations continued into the targeted assault on one of its largest users.

Targeted Attack Compromised Hardware Wallet Setup

Security firm Beosin initially reported losses exceeding $27 million before PeckShield corrected the figure to approximately $13.5 million. The discrepancy occurred because initial calculations failed to exclude the whale’s debt position from total losses.

PeckShield noted in its analysis that “initial estimates were higher as we did not exclude the debt position.” This correction provided a more accurate assessment of the actual funds drained from the whale’s Venus Protocol positions.

Yu Xian, founder of security firm SlowMist, provided a detailed analysis of the attack method on Sept. 2. The investigation revealed the whale used a hardware wallet. Still, attackers compromised the related wallet extension on the victim’s computer.

Xian explained:

“When the user issued a normal redeemUnderlying operation, it was replaced with an updateDelegate operation.”

The substitution granted the attacker borrowing and redemption authorization over the whale’s positions without the victim’s knowledge.

The attack exploited a vulnerability in the combination setup between hardware wallets and browser extensions. Despite using what many consider the most secure storage method, the whale fell victim to sophisticated social engineering techniques.

North Korean Hackers Suspected in Premeditated Attack

The attack showed signs of careful planning and sophisticated funding sources. Gas fees for the attack originated from Monero (XMR) exchanges, while other funds were traced back to eXch, a previously sanctioned dark web exchange favored by North Korean hackers.

Xian’s investigation revealed the funding structure used by the attackers.

“The hacker was very premeditated, with somewhat complex funding sources, among which the gas came from XMR exchanges.”

The connection to eXch raised additional red flags among security researchers. The exchange had been sanctioned and taken down, with previous usage patterns linked to North Korean state-sponsored hacking groups targeting cryptocurrency platforms and users.

Xian’s analysis indicated the whale was specifically targeted rather than caught in a broader attack.

As a result, SlowMist assessed that a compromise of Venus Protocol’s frontend was unlikely after thorough investigation, and the attack potentially focused solely on the individual user.

“The large holder’s computer may have been subjected to a targeted poisoning attack,” Xian explained, describing how attackers likely gained access to the victim’s system before executing the Venus Protocol drain.

Venus Pauses Protocol to Protect Remaining Funds

Venus Protocol responded quickly to protect the victim’s remaining assets. The team confirmed direct contact with the affected whale and committed to keeping the protocol paused during recovery efforts.

Venus Protocol stated:

“We are aware of the user wallet being drained (smart contract is safe) and are actively investigating. Venus is currently paused following security protocols.”

The protocol noted that resuming operations would allow the hacker to access additional funds, demonstrating the team’s priority on user protection over protocol uptime.

This decision reflected the protocol’s commitment to user security despite potential revenue losses from suspended operations.

“Venus was not exploited, but we are committed to protecting our users. If the protocol resumes now, the hacker gets the user’s funds.”

SlowMist coordinated with the victim on recovery efforts while maintaining the confidentiality of the investigation. Xian cautioned that “the actual loss is not accurate either, it may not have exceeded 20 million USD” as investigations continued.

The incident highlighted vulnerabilities in wallet extension security, despite the use of hardware wallets.

The attack demonstrated how sophisticated threat actors can bypass traditional security measures through targeted computer compromise and social engineering rather than direct protocol exploitation.

A whale on Venus Protocol lost about $13.5 million in a sophisticated phishing attack that compromised their hardware wallet setup, prompting the protocol to pause operations. Security firms linked the targeted hack to North Korean groups, though Venus confirmed its smart contracts remained secure.