Anatomy of the Venus Protocol Whale Hack
Earlier this week, crypto whale Kuan Sun shared his detailed experience of being targeted by a sophisticated phishing attack on his X account.
This story serves as a stark warning to all investors, as he lost and then recovered $13.5 million. As the digital asset ecosystem expands, so does the risk of hacking. How can investors prevent massive losses?
A Seemingly Harmless Meeting That Became a Nightmare
A phishing attack on Tuesday robbed Kuan Sun, a user of the decentralized lending platform Venus Protocol, of his cryptocurrency. However, thanks to the swift response and cooperation of the Venus Protocol team, he was able to recover the stolen funds.
The elaborate attack began in April 2025 at the Hong Kong Wanxiang Conference. There, a mutual friend introduced Sun to someone who claimed to be a representative for Stack’s Asia Business Development. This kind of networking is common in the crypto space, and they added each other on Telegram.
On August 29, the so-called “BD” requested a simple Zoom meeting. Sun joined late and noticed that there was no sound in the room.
A pop-up message on his webpage read, “Your microphone needs an update.” Confused, Sun clicked the upgrade button—a fatal mistake that set the trap.
Sun later realized the hackers were not acting on the fly. He said the highly customized attack had been in motion since Monday, targeting him specifically.
X Post From the Victim After the “update,” he started seeing strange messages on his computer. The Chrome browser would close abnormally, and a “Restore tabs?” message would pop up.
Suspecting nothing, Sun continued his routine and accessed Venus Protocol through his browser. There, he proceeded to perform a withdrawal, a task he had done countless times before.
Shortly after, his computer slowed down, his Google account was logged out of Chrome, and strange, unfamiliar transactions appeared in his wallet. He immediately knew something was terribly wrong.
The analysis suggests that the hackers replaced his frequently used Rabby wallet extension with a malicious program. This tactic is often used by Lazarus, the notorious North Korean hacking group.
After gaining wallet approval authority, they quickly transferred various tokens, including vUSDC, vETH, vWBETH, and vBNB.
A Swift Recovery and Key Lessons
Sun acted quickly by contacting blockchain security firms Peckshield and Slowmist for guidance. He also reached out to the Venus Protocol team for help.
As a result, Venus Protocol immediately paused the platform as a preventive measure and began an investigation.
They then initiated an emergency governance vote to force-liquidate the attacker’s wallet, allowing Sun to successfully recover his $13.5 million.
On Thursday, Sun shared his story and his key takeaways. He warned that North Korean hackers are increasingly using a combination of social engineering, deepfakes, and Trojans.
As a result, what appears to be a legitimate video conference or a normal Twitter account could be entirely fake.
He specifically advised users to avoid Zoom links from others and to download program plugins only from official channels. He also urged them never to click “upgrade” links that appear in pop-up windows.
Sun expressed his gratitude to the Venus team for their swift action in preventing further damage. He urged everyone to “always be suspicious of any requests you receive in daily life, and always respond calmly.”
