SlowMist: In-Depth Analysis of the $13 Million Venus User Hack
Authors: Kong & Thinking
Editor: Liz
Background
On September 2, 2025, community user @KuanSun1990 was targeted in an attack that resulted in multiple positions on the Venus protocol being transferred, causing losses of approximately $13 million. SlowMist’s proprietary Web3 threat intelligence and dynamic security monitoring tool, MistEye, successfully detected the anomaly and assisted the user in conducting the analysis. The following provides a detailed investigation.
Root Cause
The victim mistakenly accessed a Zoom meeting link forged by the attacker and ran malicious code on their computer under the guidance of the fake website, resulting in full device control. With many relevant logs deleted, the analysis faced considerable challenges. According to the victim’s recollection, they were using a well-known official browser extension wallet at the time and suspected that the attacker had tampered with the wallet code on their computer. As a result, the user’s intended Venus asset redemption operation through a hardware wallet was altered into a Venus position delegation operation, ultimately allowing the attacker to take over the user’s positions on Venus.
Detailed Analysis
The attacker leveraged social engineering, posing as a business partner to lure the target into a Zoom meeting, sending the meeting link via Telegram. (Due to deleted chat records, the full process could not be fully reconstructed.) The victim clicked the link and joined the meeting.
Due to a scheduling conflict with another meeting, the victim entered hastily and did not carefully verify the browser domain as the official Zoom site. Meanwhile, the attacker, pretending to be a business partner, continually urged the victim during the meeting, preventing them from recognizing whether the upgrade prompt on the website was malicious.
Eventually, the victim’s computer was fully compromised. For a reference on how such a device takeover could occur, see the Unphishable Web3 phishing simulation platform (https://unphishable.io/) level #NO.0x0036 for a complete challenge exercise.
After gaining control of the victim’s computer, the attacker modified the wallet code in the victim’s browser extension, enabling them to hijack and replace the original transaction data. Since the victim’s hardware wallet lacked a fully implemented “what you see is what you sign” (WYSIWYS) verification mechanism, the victim ultimately signed a tampered transaction.
How Did the Attacker Modify the Browser Extension Wallet?
Chrome enforces a security mechanism such that if an extension is downloaded from the Chrome Web Store, any code modification triggers a browser warning that the extension is corrupted and unusable. Moreover, this integrity check cannot be disabled.
Initially, we suspected the attacker might not have directly modified a well-known official browser extension wallet, but instead employed other attack methods. As many traces on the victim’s computer were deleted, the exact method could not be fully reconstructed. However, through in-depth research and coordination with threat intelligence partners, we confirmed that the browser extension ID used for tampering matched the official extension ID.
We then investigated how to maintain the official extension ID while allowing code modification:
- By enabling Developer Mode in Chrome’s extension page, one can copy the original extension file and import it into the browser. This results in a new extension with the same ID as the official one, while allowing arbitrary code modifications. This works because Chrome generates the extension ID based on the
keyin themanifest.jsonfile. Ensuring the key matches the official version allows the modified extension to retain the same ID without triggering integrity checks. - Alternatively, by patching Chrome’s extension content verification function, global integrity checks can be disabled. On macOS, this requires re-signing to keep the program usable.
These two methods represent possible attack vectors researched internally by SlowMist. There is no confirmed evidence that the attacker actually used these exact techniques.
Before launching the attack, the attacker, on September 1, funded approximately 21.18 BTCB and 205,000 XRP to prepare for taking over the victim’s Venus positions.
After waiting for about 10 hours, the attacker finally had an opportunity when the victim interacted with their wallet. The victim connected their hardware wallet to the extension wallet in Chrome and accessed the official Venus website.
The victim then attempted to redeem their USDT tokens on Venus. While the correct redeemUnderlying function was called, the tampered extension replaced it with an updateDelegate operation. The victim’s hardware wallet did not support detailed signature data verification and had blind signing enabled, causing the victim to unknowingly sign the updateDelegate operation and submit it via the extension wallet. Consequently, their Venus positions were delegated to the attacker.
After the delegation, the attacker immediately executed a flash loan via Lista to borrow approximately 285 BTCB and used their own 21.18 BTCB and 205,000 XRP. They then repaid about 306.89 BTCB and 152,673.96 XRP of the victim’s loans on Venus.
Subsequently, the attacker redeemed the victim’s collateral (USDT/USDC/WBETH/FDUSD/ETH) to addresses under their control.
The attacker had now fully transferred the victim’s Venus positions. To settle the flash loan without slippage, the attacker re-deposited the collateral into Venus and borrowed BTCB to repay the loan.
When the attacker held the Venus positions but had not yet performed further operations, the Venus team reacted swiftly, pausing the protocol and later halting all market EXIT_MARKET operations.
This action prevented the attacker from further exploiting the positions. The Venus team then initiated an emergency proposal vote to restore protocol safety while attempting to recover the stolen funds.
Ultimately, the Venus team forcibly liquidated the attacker’s positions to recover the stolen assets for the victim.
Additionally, MistTrack, an on-chain AML tracking tool, identified that addresses related to the attacker previously withdrew funds from ChangeNOW.
Other addresses interacted with multiple exchange platforms (e.g., 1inch), cross-chain platforms (e.g., Across Protocol), and sanctioned exchanges (e.g., eXch).
Conclusion
This incident represents a carefully orchestrated phishing attack. The attacker gained control of the user’s device via a malicious Zoom client and exploited Chrome Developer Mode to tamper with the wallet extension, cleverly replacing asset redemption operations with position delegation operations. The technique was highly sophisticated. Fortunately, the Venus team responded quickly, coordinating across teams to mitigate the attack and recover the stolen funds, preventing potentially massive losses.
About SlowMist
SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as HashKey Exchange, OSL, MEEX, BGE, BTCBOX, Bitget, BHEX.SG, OKX, Binance, HTX, Amber Group, Crypto.com, etc.
SlowMist offers a variety of services that include but are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) software, MistEye (Security Monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, RC², TianJi Partners, IPIP, etc. Our extensive work in cryptocurrency crime investigations has been cited by international organizations and government bodies, including the United Nations Security Council and the United Nations Office on Drugs and Crime.
By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we could spread awareness and raise the security standards in the blockchain ecosystem.
