Analysis2025-09-10

How a Hacker Lost 2.7M While Stealing from a Venus Whale

Tags

DeFi
Web3 Security
Phishing
Attack
Social Engineering
Security

2 Minutes Read

Daniel Tan

Daniel Tan

Security Operation / Audit

Summary

On September 2, a Venus protocol whale user fell victim to a phishing attack that granted the hacker borrowing and redeeming rights, putting approximately $13M of the user’s assets at risk. However, after the hack, the stolen assets remain within the Venus protocol. With the quick response and actions taken by the Venus team, the stolen funds were recovered, and the hacker ended up losing $2.7M.

Summary

On September 2, a Venus protocol whale user fell victim to a phishing attack that granted the hacker borrowing and redeeming rights, putting approximately $13M of the user’s assets at risk. However, after the hack, the stolen assets remain within the Venus protocol. With the quick response and actions taken by the Venus team, the stolen funds were recovered, and the hacker ended up losing $2.7M.

The Phishing Attack

The victim(@KuanSun1990) was invited by a compromised Telegram account to join a Zoom meeting using a fake link. After clicking the phishing link, the hacker gains privileges on the victim’s computer and makes the victim submit a transaction that APPROVES the attacker as a valid delegate. victim.png (https://x.com/KuanSun1990/status/1963568732917113141)

attack.png (https://bscscan.com/tx/0x75eee705a234bf047050140197aeb9616418435688cfed4d072be75fcb9be0e2)

On-chain Attack

  • The attacker took out a flash loan of 285 $BTC, combined it with the attacker's OWN 21 $BTC and 152K $XRP, and first repaid the victim's debt of 306 $BTC and 152k $XRP. on-chain-1.png (TX:0x4216f924ceec9f45ff7ffdfdad0cea71239603ce3c22056a9f09054581836286)

  • The hacker then redeemed and borrowed assets on the victim’s behalf, having previously gained authorization.

  • The stolen assets were DEPOSITED back into the Venus Protocol. on-chain-2.png

  • To repay the 285 $BTC flash loan, the hacker BORROWED 285 $BTC from Venus. on-chain-3.png After this transaction, the hacker's collateral and DEBET were as follows:

  • Collaterals: 19.8M $USDT, 3744 $WBETH, 7.15M $USDC, 311K $FDUSD, totaling worth $43.3M in total.

  • Debet: 285 $BTC, worth $31.3M. The hacker's collateral was worth $43.3M against a debt of $31.3M, leaving a net value of $12M within the Venus Protocol. The Venus Rescue The Venus team quickly paused the protocol, then initiated and passed an emergency vote, forcefully liquidated the hacker's positions, and recovered the stolen funds. rescue.png (https://x.com/VenusProtocol/status/1963251755543839227)

How did the Venus team rescue stolen assets through liquidation?

After an emergency pause in the protocol, the Venus team liquidated the hacker's position. The key steps of liquidation are temporarily increasing the $BTC price, liquidating the hacker's position, and restoring the $BTC price. rescue-2.png (TX: 0xee9928b8d1a212f4d7b7e9dca97598394005a7b8fef56856e52351bc7921be43)

By raising the $BTCB price to an extremely high value, 1000000000000000000000000000000, the hacker's debt exceeded the collateral value, making the position eligible for liquidation. As a result, the stolen assets were recovered. As noted earlier, the hacker uses his/her OWN 21 $BTC and 152k $XRP to carry out the hack. After liquidation, the hacker's own assets are also reduced to zero.

Addresses

Victim: 0x563617b87d8BB3F2f14BB5a581f2E19F80b52008 Hacker: 0x7fd8f825e905c771285f510d8e428a2b69a6202a

Reference

https://x.com/KuanSun1990/status/1963568732917113141 https://x.com/VenusProtocol/status/1963251755543839227

Share this article

Next
NDSS 2025 Distinguished Paper Award: PropertyGPT Revolutionizes Smart Contract Security Through AI-Powered Formal Verification