Earlier this week, Crypto Whale Kuan Sun shared his detailed experience of being targeted by a sophisticated phishing attack on his X account.
This story serves as a harsh warning to all investors as all investors lost and recovered $13.5 million. As the digital asset ecosystem expands, so does hacking risk. How can investors prevent large losses?
A seemingly harmless meeting that has become a nightmare
Tuesday’s phishing attack took Kuan Sun, a user of his cryptocurrency decentralized lending platform Venus Protocol. However, thanks to the prompt response and cooperation of the Venus protocol team, he was able to collect the stolen funds.
The elaborate attack began in April 2025 at the Wang Xiang Conference in Hong Kong. So, mutual friends introduced Sun to someone who claimed to be Stack’s Asian business development representative. This kind of networking is common in the crypto space, and we added each other in Telegram.
On August 29th, the so-called “BD” requested a simple Zoom meeting. Sun joined late and noticed that there was no sound in the room.
A pop-up message on his web page read, “The microphone needs an update.” Confusing, Sun clicked the upgrade button. This is a fatal mistake in setting the trap.
Sun later realized that the hackers were not acting on the spot. He said a highly customized attack had been moving since Monday, specifically targeting him.
xPosts from victims
After the “update”, he began to see strange messages on his computer. The Chrome browser closes abnormally and a message pops up “Do you want to restore tabs?”
With no doubt, Sun continued his routine and accessed the Venus Protocol via a browser. So he retreated. This has done countless jobs before.
Shortly afterwards, his computer slowed down, his Google account was logged out of Chrome, and strange and unfamiliar transactions appeared in his wallet. He soon knew something was grossly wrong.
The analysis suggests that hackers have replaced the frequently used Rabby Wallet extension with malicious programs. This tactic is often used by the infamous North Korean hacking group Lazarus.
After acquiring the wallet approval authority, they quickly transferred various tokens, including VUSDC, Veth, Vwbeth and VBNB.
Quick recovery and important lessons
Sun acted swiftly by contacting blockchain security companies Peckshield and Slowmist for guidance. He also sought help from the Venus Protocol team.
As a result, Venus Protocol quickly suspended the platform as a precaution and began an investigation.
They then launched an emergency governance vote to force liquidate the attacker’s wallets, allowing them to successfully retrieve $13.5 million.
On Thursday, Sun shared his story and his important takeaway. He warned that North Korean hackers are increasingly using a combination of social engineering, deepfakes and Trojan horses.
As a result, what appears to be a legitimate video conferencing or a regular Twitter account can be completely fake.
He specifically advised users to avoid zoom links from others and only download program plugins from official channels. He also urged him not to click on the “Upgrade” link that appears in the pop-up window.
Sun expressed his gratitude for their prompt action to prevent further damage. He urged everyone to “always doubt the requests they receive in their daily lives, and always be calm and respond.”
It first appeared in VEINCRYPTO.
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
