Venus User Loses $27 Million in Phishing Attack
Date: 2025-09-03 Author: Oliver Abernathy Categories: BUSINESS
A user of the Venus lending platform on BNB Chain lost about $27 million after a phishing attack, PeckShield analysts reported. According to their data, the victim approved a malicious transaction, which allowed the attacker to transfer tokens from her wallet. Cyvers experts confirmed that the theft was caused by the actions of fraudsters, and not by platform vulnerabilities.
Approximately $19.8 million in Venus USDT (vUSDT) and $7.15 million in Venus USDC (vUSDC) were withdrawn from the affected wallet. The project representatives noted that Venus smart contracts remained safe, and the incident occurred due to the user's own error.
The cryptoanalytics community is actively discussing the incident. The founder of Pink Brains, under the pseudonym Ignas, conducted a debriefing on ChatGPT, indicating that the attack was made possible by the thoughtless use of wallet permissions. The hacker acted in stages: first, he paid off the user's debt to free up the collateral assets, then used the asset access to borrow USDC to his address, and finally withdrew the vTokens to his wallet. In the end, the victim's wallet was completely emptied.
Ignas emphasized the importance of controlling permissions in DeFi applications. He recommended regularly reviewing and revoking unused or unlimited token permissions to reduce the risk of loss. Another analyst, Crypto Jargon, also noted that the user granted the attacker unlimited access to his tokens, which was a critical factor in the theft.
Experts remind about basic security rules: do not follow suspicious links, carefully check transactions before confirming, use hardware wallets for large amounts and regularly manage permissions for decentralized applications. They also note that in a bull market, scammers' activity traditionally increases.
In addition to the Venus incident, the decentralized exchange Bunni lost $2.3 million due to a vulnerability in smart contracts on Ethereum. The attacker withdrew $1.33 million in USDC and $1.04 million in USDT. Bunni developers suspended the contracts and recommended that users urgently withdraw funds while investigating the incident.
Recall that in March, the Venus team already faced problems after the Binance oracle crashed, which led to the loss of $274,000. These events once again highlight the need for careful handling of crypto assets and careful management of wallet permissions.
