Decentralized finance (DeFi) lending platform Venus Protocol has helped a user recover stolen crypto following a phishing attack tied to North Korea’s Lazarus Group.
On Thursday, Venus Protocol announced that it had successfully helped a user recover $13.5 million in crypto after the phishing incident that occurred on Tuesday. At the time, Venus Protocol paused the platform as a precautionary measure and started investigating.
According to Venus, the pause halted further fund movement, while audits confirmed Venus’ smart contracts and front end were uncompromised.
Emergency vote enables fund recovery
An emergency governance vote allowed the forced liquidation of the attacker’s wallet, enabling stolen tokens to be seized and sent to a recovery address.
Attackers exploited a malicious Zoom client
In the post-mortem, Venus revealed that the attackers used a malicious Zoom client to trick the victim into granting delegated control over the account.
This allowed the perpetrators to borrow and redeem on the victim’s behalf, enabling them to drain millions in stablecoins and wrapped assets.
However, the protocol’s security partners HExagate and Hypernative flagged the suspicious transaction within minutes, leading to the decision to pause the protocol. According to Venus, the recovery process unfolded in less than 12 hours.
Kuan Sun, who was identified as the victim of the attack, thanked the teams behind the recovery. “What could have been a total disaster turned into a battle we actually won, thanks to an incredible group of teams,” Sun wrote.
Security partners HExagate and Hypernative flagged the suspicious activity within minutes, prompting the pause. PeckShield, Binance, and SlowMist later assisted in the recovery.
Related: WLFI blocks hacking attempts with onchain blacklisting
Phishing attack linked to the Lazarus Group
SlowMist’s analysis linked the attack to the Lazarus Group, a North Korea-backed collective blamed for major crypto heists, including the $600M Ronin bridge exploit and the $1.5B Bybit hack.
Sun said SlowMist carried out extensive analysis work and “were among the very first to point out that Lazarus was behind this attack.”
The Lazarus Group is a North Korea-linked hacking collective believed to operate under the country’s intelligence agency.
The group has been tied to some of the biggest crypto heists in history, including the $600-million Ronin bridge exploit and the $1.5 billion Bybit hack.
Magazine: Astrology could make you a better crypto trader: It has been foretold
