How a Venus Protocol user was hacked and why $13 million was recovered
The scammer carried out a complex attack using social engineering techniques and hacking a browser extension
08.09.2025
372
4 min
0
On September 2, 2025, a user with the nickname @KuanSun1990 fell victim to an attack that caused him to lose approximately $13 million in the Venus protocol. GetBlock AML Research explains in detail how the scammer was able to take possession of the victim’s assets.
Cause of the incident
The user accidentally opened a fake Zoom link created by scammers. On this site, he was forced to install malicious code. As a result, the attackers gained complete control over his computer.
Many records in the system were deleted, which complicated the investigation. The victim himself recalled that he used a well-known browser wallet extension. He suspects that the scammers replaced the code of this wallet on his computer.
As a result, when the user wanted to withdraw his funds through the hardware wallet, the operation was changed: instead of withdrawing tokens, a command was launched that transferred control of his assets to the scammers.
Venus Protocol user loses $27 million to phishing scam
The losses were due to a compromised wallet, not a vulnerability in the Venus Protocol. On the same day, hackers attacked the DeFi platform Bunni for $2,3 million
How the scammer acted
The attacker used social engineering techniques. They pretended to be a business partner and invited the victim to a Zoom meeting by sending a link via Telegram.
Since the victim had several meetings scheduled at the same time, he was in a hurry and did not notice that the website domain was not genuine. During the conversation, the scammer rushed him and did not give him any reason to suspect that the updates offered on the website were malicious. As a result, the computer ended up completely under the control of the criminal.
Wallet substitution
After taking control of the device, the scammer changed the code in the browser extension that was used to work with the wallet. Now, this extension could replace transaction data.
The victim’s hardware wallet did not have a “What You See Is What You Sign” verification mechanism and supported “blind signatures.” Because of this, the user signed the replaced transaction without even suspecting it.
Preparing the attack
The day before the incident (September 1), the scammer transferred 21,18 BTCB and 205 000 XRP to their addresses to use these funds to seize the victim’s assets.
Ten hours after the computer was infected, the victim visited the official Venus website and attempted to withdraw USDT tokens. However, the extension, which had been modified by the hacker, hijacked the transaction. Instead of withdrawing funds, a command was executed to transfer control of the assets to the scammer.
Six months after the $1,5 billion Bybit hack. How the incident changed the industry
North Korean hackers behind the Bybit hack had to invent new ways to launder cryptocurrency because they found themselves in a situation unique to the industry
Transaction delegating positions on Venus to the scammer
The course of the attack
After gaining control, the attacker immediately took out a flash loan through the Lista service to borrow additional assets. They paid off part of the victim’s debts on Venus, then accessed his collateral assets (USDT, USDC, WBETH, FDUSD, ETH) and withdrew them to his own addresses.
To repay the flash loan, he again deposited some of the assets into Venus and borrowed BTCB.
Venus team’s response
When the scammer had already taken control of the victim’s positions but had not yet managed to carry out any new transactions, the Venus team managed to intervene:
- they suspended the protocol,
- blocked the ability to withdraw funds,
- and launched an emergency vote to restore the system.
Venus team statement on the incident
As a result, the Venus team forcibly liquidated the scammer’s positions and returned the stolen assets to the victim. It was also revealed that the scammer transferred some of the funds through the ChangeNOW exchange, various decentralized protocols (1inch), and the eXch exchange.
Graph of the scammer’s address connections
Useful material?
Research
One and the same cryptocurrency address received two completely opposite assessments from different analytics systems: from an ordinary gambling service to an extremely severe criminal offense. This story has become the starting point for a broader conversation about what the scientific standards of blockchain analysis should look like — and why errors in systems like these can shape the fates of real people.
Jul 1, 2026
Research
The blockchain has helped uncover the ties between cryptocurrency fundraising campaigns, exchangers in Syria, and intermediaries in several countries around the world. A telltale pattern has emerged in which the same addresses were used across multiple donation drives at once
Jun 24, 2026
Research
Four Iranian cryptocurrency exchanges accounted for roughly 78% of all digital asset volume tied to the country in 2025. They have now become the focal point of the largest U.S. sanctions campaign against Iran's cryptocurrency infrastructure.
Jun 5, 2026
Research
A financial system is already up and running on public blockchains, with loans, analogues of U.S. Treasuries, and automated capital markets. More than $551 billion has flowed through DeFi protocols — but most of that activity has nothing to do with the real economy and everything to do with the speculative build-up of risk.
May 29, 2026
Research
Around 97% of Chinese suppliers of chemicals used to make fentanyl accept payment in cryptocurrency. The volume of such transactions continues to grow alongside the global market for synthetic drugs
May 22, 2026
Research
For the first time, the new law makes blockchain analytics an officially mandatory tool of financial oversight in the United States. Authorities will also gain the power to restrict transactions with foreign crypto services tied to money-laundering risks.
May 20, 2026
Telegram
Twitter