Venus Protocol recovered $13.5M stolen in a phishing attack linked to the Lazarus Group. This shows the challenges with Defi security and governance solutions.
The BNB-based Venus Protocol has successfully recovered $13.5 million in stolen funds after a major phishing attack.
The victim, identified as Kuan Sun, praised the recovery as “a battle we actually won” thanks to coordinated efforts between the protocol and its security partners.
How the Venus Protocol phishing attack unfolded
The attack happened on September 2, when hackers used a manipulated Zoom client to break into Sun’s account. They tricked him into granting them delegated control of his account, which then allowed them to borrow and redeem assets directly from his wallet.
By the end of the exploit, millions in stablecoins and wrapped assets were drained within minutes.
— Venus Protocol (@VenusProtocol) September 3, 2025
Venus Protocol immediately paused its platform to stop further damage. Audits confirmed that the protocol’s smart contracts and front-end were unaffected. This ruled out the possibility of systemic flaws. Instead, the hack was entirely due to social engineering tactics that targeted the victim.
Also known as Phishing.
How Emergency Moves enabled recovery
Within hours of detecting the breach, Venus Protocol kick-started an emergency governance vote. The vote allowed for the forced liquidation of the attacker’s wallet, which made it possible to seize stolen tokens and redirect them to a recovery address.
1)First and foremost, the biggest thanks go to the @VenusProtocol team.
Their quick reaction was what made everything possible.
— Kuan Sun (@KuanSun1990) September 4, 2025
This governance structure, which is built into the protocol, was important for the successful recovery. Without it, assets might have remained locked in compromised wallets or laundered through exchanges.
The entire process, from identifying the breach to securing the funds, took less than 12 hours.
Security partners like HExagate and Hypernative provided monitoring support, while PeckShield, Binance and SlowMist also participated in tracing transactions.
Phishing threats in crypto Are Still A major risk.
Phishing has become one of the most common and dangerous attack vectors in crypto. It is unlike traditional hacks that take advantage of code flaws. Instead, phishing attacks rely on tricking users into granting them permissions.
In this case, the attackers exploited Zoom, a trusted platform, to distribute malware and gain wallet access from their victim. Similar scams tend to involve other methods like fake websites, fake wallets or signing requests.
Just as DeFi adoption grows, the frequency of these attacks is rising. Reports since early 2024 show that there have been strong increases in phishing-related losses across multiple blockchains.
Who Was Responsible For The Hack?
Security firm SlowMist traced the Venus Protocol attack to the North Korean Lazarus Group.
The group has been blamed for some of the largest crypto heists in history, including the $600 million Ronin Bridge hack and the $1.5 billion Bybit exploit.
The recovery of $13.5 million proves that collaboration can be a great fix for disasters like these. Overall, the incident also shows the ongoing risks in DeFi.
Phishing attacks are not slowing down, and state-sponsored groups like Lazarus are becoming more aggressive. In order to keep assets safe, platforms must continue investing in monitoring systems and education for their communities.
The Venus Protocol event will likely be studied as both a warning and a model. The platform has become a reminder that threats are likely to continue showing up.
Still, all hope isn’t lost when they do happen.
