North Korean hackers struck again as the notorious Lazarus Group launched a sophisticated phishing attack against Venus Protocol, nearly making off with $13.5 million in cryptocurrency assets. The September 2, 2025 incident targeted user Kuan Sun through an ingenious social engineering scheme involving a compromised Zoom application.
Like digital pickpockets with state backing, the Lazarus operatives tricked Sun into installing what appeared to be legitimate software. This malicious Zoom client gave the attackers delegated control over the victim’s Venus account—imagine handing someone your house keys while thinking you’re just showing them pictures of your living room.
Within minutes of the breach, security partners detected suspicious activity as the hackers attempted to borrow and redeem assets, including stablecoins and wrapped Bitcoin. Venus Protocol responded swiftly by pausing the platform, preventing further asset movement while security firms HExagate and Hypernative analyzed the on-chain patterns. SlowMist’s forensic analysis revealed distinctive tactical signatures linking the attack to previous Lazarus Group operations.
What happened next was unprecedented in DeFi crisis management. An emergency governance vote—with five wallets participating—unanimously approved a forced liquidation of the attacker’s wallet. This rapid decision-making process demonstrated the key advantage of smart contract automation that DAOs utilize for security incident response.
In DeFi’s finest hour, five wallets became judge, jury, and executioner—voting to liquidate the attacker and reclaim millions.
Within 12 hours, the full $13.5 million was recovered and sent to a protocol-controlled address. Talk about closing the barn door before the horse escapes—and somehow getting the horse back too!
Despite the successful recovery, the incident caused an initial 10% drop in the XVS token value. It also highlighted how even hardware wallet protections can’t guard against social engineering—a growing vulnerability across the DeFi landscape. This case exemplifies the alarming trend where phishing attacks represent over half of all DeFi breaches in the current threat landscape.
The Venus Protocol case represents just one piece of a larger puzzle: North Korean hackers have been on a tear in 2025, contributing to over $2 billion stolen in crypto attacks, including a massive $1.5 billion heist from Bybit.
As the dust settles, this incident sparks continued debate on balancing decentralization principles with protocol-level interventions that can save user funds during emergencies—a tension at the heart of DeFi’s evolution.
