The scammer carried out a complex attack using social engineering techniques and hacking a browser extension

How a Venus Protocol user was hacked and why $13 million was recovered

08.09.2025

371

4 min

On September 2, 2025, a user with the nickname @KuanSun1990 fell victim to an attack that caused him to lose approximately $13 million in the Venus protocol. GetBlock AML Research explains in detail how the scammer was able to take possession of the victim’s assets.

Cause of the incident

The user accidentally opened a fake Zoom link created by scammers. On this site, he was forced to install malicious code. As a result, the attackers gained complete control over his computer.

Many records in the system were deleted, which complicated the investigation. The victim himself recalled that he used a well-known browser wallet extension. He suspects that the scammers replaced the code of this wallet on his computer.

As a result, when the user wanted to withdraw his funds through the hardware wallet, the operation was changed: instead of withdrawing tokens, a command was launched that transferred control of his assets to the scammers.

Venus Protocol user loses $27 million to phishing scam

Venus Protocol user loses $27 million to phishing scam

The losses were due to a compromised wallet, not a vulnerability in the Venus Protocol. On the same day, hackers attacked the DeFi platform Bunni for $2,3 million

Read more

How the scammer acted

The attacker used social engineering techniques. They pretended to be a business partner and invited the victim to a Zoom meeting by sending a link via Telegram.

Since the victim had several meetings scheduled at the same time, he was in a hurry and did not notice that the website domain was not genuine. During the conversation, the scammer rushed him and did not give him any reason to suspect that the updates offered on the website were malicious. As a result, the computer ended up completely under the control of the criminal.

Wallet substitution

After taking control of the device, the scammer changed the code in the browser extension that was used to work with the wallet. Now, this extension could replace transaction data.

The victim’s hardware wallet did not have a “What You See Is What You Sign” verification mechanism and supported “blind signatures.” Because of this, the user signed the replaced transaction without even suspecting it.

Preparing the attack

The day before the incident (September 1), the scammer transferred 21,18 BTCB and 205 000 XRP to their addresses to use these funds to seize the victim’s assets.

Ten hours after the computer was infected, the victim visited the official Venus website and attempted to withdraw USDT tokens. However, the extension, which had been modified by the hacker, hijacked the transaction. Instead of withdrawing funds, a command was executed to transfer control of the assets to the scammer.

Six months after the $1,5 billion Bybit hack. How the incident changed the industry

Six months after the $1,5 billion Bybit hack. How the incident changed the industry

North Korean hackers behind the Bybit hack had to invent new ways to launder cryptocurrency because they found themselves in a situation unique to the industry

Read more

Transaction delegating positions on Venus to the scammer

The course of the attack

After gaining control, the attacker immediately took out a flash loan through the Lista service to borrow additional assets. They paid off part of the victim’s debts on Venus, then accessed his collateral assets (USDT, USDC, WBETH, FDUSD, ETH) and withdrew them to his own addresses.

To repay the flash loan, he again deposited some of the assets into Venus and borrowed BTCB.

Venus team’s response

When the scammer had already taken control of the victim’s positions but had not yet managed to carry out any new transactions, the Venus team managed to intervene:

  • they suspended the protocol,
  • blocked the ability to withdraw funds,
  • and launched an emergency vote to restore the system.

Venus team statement on the incident

As a result, the Venus team forcibly liquidated the scammer’s positions and returned the stolen assets to the victim. It was also revealed that the scammer transferred some of the funds through the ChangeNOW exchange, various decentralized protocols (1inch), and the eXch exchange.

Graph of the scammer’s address connections

Subscribe to Getblock Magazine and stay up to date with the latest news from the world of cryptocurrencies and the digital economy