A phishing attack on a Venus Protocol user has once again shown that vulnerabilities in connected applications, not core code, pose some of the biggest threats in decentralized finance. The incident did not involve a flaw in Venus Protocol’s smart contracts but instead targeted the tools a user relied on to access them.
What happened
Security firms Beosin and PeckShield reported that a Venus Protocol user fell victim to phishing, which led to unauthorized borrowing and asset redemptions from the platform. Early estimates placed the theft above $27 million, but after accounting for the user’s existing debt, the figure was narrowed to about $13.5 million.
🚨 A @VenusProtocol whale suffered a phishing attack, which delegated its borrowing and redemption authorization to the attacker and caused losses of over $27 million.
— Beosin Alert (@BeosinAlert) September 2, 2025
The stolen funds are still kept by the attack contract 0x7fd8F825E905c771285F510D8e428A2b69A6202a.
Venus Protocol reacted by temporarily pausing specific operations to limit further risk. The team emphasized that its contracts continued to function securely and that the breach stemmed from phishing activity rather than protocol design.
How the attack worked
Yu Xian, founder of the security company SlowMist, explained that the user’s hardware wallet had not been hacked. Instead, attackers took advantage of a compromised browser extension that interacted with the wallet. This tricked the victim into approving harmful transactions.
Blockchain analysis suggested that the attackers attempted to hide their tracks via exchanges and privacy-focused channels. This indicated a deliberate, targeted operation rather than a wide-scale exploit.
The phishing attack is believed to have been orchestrated by the Lazarus Group, a notorious hacker outfit based in North Korea. The group has been linked to several high-profile cybercrimes, including the $620 million Ronin Bridge breach in 2022, the $100 million Harmony Bridge exploit that same year, the $100 million Atomic Wallet hack in 2023, and more recently the $1.5 billion Bybit hack in March 2025. In this incident, attackers tricked the victim into approving a malicious transaction by imitating a trusted platform, ultimately draining the user’s funds.
Reaction in the market and community
Following the incident, Venus’s governance token (XVS) saw a sharp drop and quick recovery, leaving traders struggling to interpret whether the attack had broader protocol implications. The wider community discussion soon shifted, with more focus on the dangers of phishing and access permissions than on Venus’s code itself.
The bigger picture on DeFi security
Phishing and social engineering remain leading threats across the DeFi sector, often surpassing direct contract exploits in user losses. For example, CertiK’s mid-year 2023 report highlighted hundreds of millions lost to these techniques, while Hacken has consistently discussed social engineering as among the most damaging risks in crypto security.
This case underscores that hardware wallets reduce certain risks, such as malware stealing private keys, but they cannot prevent a user from unknowingly confirming a malicious request.
Alex Shepel
Disclaimer: All materials on this site are for informational purposes only. None of the material should be interpreted as investment advice. Please note that despite the nature of much of the material created and hosted on this website, HODL FM is not a financial reference resource, and the opinions of authors and other contributors are their own and should not be taken as financial advice. If you require advice. HODL FM strongly recommends contacting a qualified industry professional.
