TL;DR
- A crypto user lost approximately $13 million after being lured into a fake Zoom meeting via Telegram
- Attackers gained full device control and modified the victim’s browser wallet extension code
- The tampered wallet converted a legitimate redemption transaction into a position delegation to the attacker
- Venus protocol quickly halted operations and forcibly closed the attacker’s positions to recover funds
- Security researchers warn that social engineering attacks on crypto users are becoming more sophisticated
A sophisticated social engineering attack on September 2, 2025 has resulted in the theft of approximately $13 million from a Venus protocol user, according to a detailed investigation by blockchain security firm SlowMist. The attack demonstrates an alarming escalation in phishing tactics targeting cryptocurrency holders, combining real-time impersonation with deep technical exploitation of wallet software.
The Attack Vector
The victim, identified as community member @KuanSun1990, was contacted by an attacker posing as a business partner through Telegram. The impersonator sent what appeared to be a Zoom meeting link, urging the victim to join an urgent call. Due to a scheduling conflict with another meeting, the victim entered hastily and did not carefully verify the browser domain as the official Zoom website.
Once the victim clicked the link, the fake website prompted them to run code on their computer. Under the pressure of the ongoing meeting and the impersonator’s continual urging, the victim complied, inadvertently giving the attacker full control of their device.
Wallet Extension Compromise
After gaining device access, the attacker took a particularly sophisticated step: they modified the code of the victim’s browser extension wallet. SlowMist’s investigation revealed that the attacker likely enabled Chrome’s Developer Mode, copied the original extension file, and reimported it with modified code. Because Chrome generates extension IDs based on the key in the manifest.json file, the tampered version retained the same ID as the official wallet without triggering integrity checks.
This meant that when the victim connected their hardware wallet to the extension and visited the official Venus website, everything appeared normal. The victim initiated a routine USDT redemption on Venus. However, the tampered extension silently replaced the legitimate redeemUnderlying function call with an updateDelegate operation, delegating the victim’s positions to the attacker.
Why the Hardware Wallet Didn’t Help
The victim was using a hardware wallet in combination with the browser extension, which should have provided an additional layer of security. However, the hardware wallet lacked a fully implemented “what you see is what you sign” (WYSIWYS) verification mechanism. This meant the victim could not clearly verify on the device screen that the transaction data had been altered before signing.
The attack highlights a critical gap in the hardware wallet security model: if the software layer between the user and the hardware wallet is compromised, the hardware device alone cannot guarantee transaction integrity unless it provides comprehensive display of all transaction details.
Rapid Response by Venus
Upon detecting the attack, the Venus protocol team took immediate action. They halted protocol operations and forcibly closed the attacker’s positions in an effort to recover the stolen funds. The attacker had funded approximately 21.18 BTCB and 205,000 XRP in preparation for the position takeover, indicating a well-planned operation.
The protocol’s rapid response prevented additional losses and demonstrated the importance of having emergency procedures in place for sophisticated attacks. However, the incident still resulted in substantial losses for the victim.
A Growing Threat Pattern
This attack fits into a broader trend of increasingly sophisticated social engineering campaigns targeting crypto users. According to CertiK’s H1 2025 security report, phishing attacks accounted for approximately 16.6% of all crypto losses by value in the first half of the year, totaling $410.7 million across 132 incidents. More importantly, phishing was the leading cause of security incidents by count, suggesting that attackers view it as a reliable and scalable method.
The Venus attack is particularly concerning because it combines multiple attack vectors: social engineering through impersonation, device takeover through malicious code execution, and software supply chain compromise through wallet modification. This multi-layered approach makes such attacks difficult to prevent through any single security measure.
With Bitcoin trading near $115,700 and Ethereum around $4,480, the high value of crypto assets continues to incentivize increasingly creative and technically sophisticated attacks. The September 2025 period alone saw approximately $127 million lost across 20 major exploits, according to PeckShield.
Why This Matters
This incident demonstrates that crypto security extends far beyond protecting private keys and seed phrases. As the attack landscape evolves, users must be vigilant about every interaction, from meeting invitations to software updates. The convergence of social engineering with deep technical exploitation represents a new frontier in crypto theft that demands equally sophisticated defensive measures.
For the industry, the attack underscores the urgent need for hardware wallets with comprehensive WYSIWYS capabilities, browser extension integrity monitoring, and better user education about the risks of real-time social engineering. No amount of protocol-level security can protect against an attacker who has already compromised the user’s device and software environment.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always verify meeting links and never run untrusted code on devices used for cryptocurrency transactions.
Every cycle the infrastructure gets more robust
Leila infrastructure gets more robust but the attack surface shifts to social engineering. fake zoom meeting into full device control into wallet code modification
meet link modifying a browser wallet extension in real time during a fake zoom call. the attack chain is insane but entirely preventable with hardware wallet signing
meet_safe_ hardware wallet signing is the only defense here. if the malicious code cant replace your transaction at the signing step the whole attack chain falls apart
hardware wallet would have stopped the modified transaction but the attacker had full device control. they could have swapped the wallet extension entirely to intercept the signing flow
The gap between crypto and TradFi is narrowing fast
The fundamental value proposition of crypto keeps getting stronger
Dario the fundamental value proposition is strong but the human attack vector keeps getting worse. fake zoom links modifying wallet extensions in real time is next level
fake zoom link to full device compromise to wallet code modification in one session. social engineering skipped the phishing kit phase and went straight to malware delivery
Venus protocol halting operations and forcibly closing attacker positions was the right move. protocol level response to a social engineering attack shows maturity
lena k. venus halting operations within minutes of detection saved most of the $13M. compare that to wormhole which took hours to respond. incident response has improved massively
Lena K. Venus halting and forcibly closing positions recovered most funds. protocol level circuit breakers are becoming standard after the Nomad and Wormhole lessons
forcibly closing positions was controversial too. legitimate users with open interest got liquidated during the halt. protocol level circuit breakers have collateral damage
the attacker modified the browser wallet extension code in real time during a fake zoom call. this is malware delivery disguised as a meeting, not phishing. the industry needs better terminology