BNB Whale Drained of $27M in DPRK-Linked Phishing Attack

In brief

A Binance Smart Chain user fell victim to a phishing scam and lost $27 million worth of tokens on Tuesday.
Early reports suggested that BNB lending platform Venus Protocol had been hacked, but blockchain security firms subsequently confirmed that this was not the case.
Venus Protocol and security firm PeckShield are in contact with the victim and are attempting to recover the funds that still sit in the attacker’s wallet.

A user on the Binance Smart Chain has lost $27 million to a phishing scam, according to security experts and those who have spoken with the victim. Several groups are now working with the victim and are attempting to recover the funds.

Early reports indicated that BNB lending protocol Venus Protocol had been hacked, due to the funds being held in Venus wrapper tokens for USDT and USDC. However, blockchain security firm Cyvers and Venus Protocol confirmed to Decrypt that the lending platform is not compromised—meaning the assets of other Venus users are safe.

PeckShield, another security company, also confirmed to Decrypt that it was a phishing scam, that the firm is in contact with the victim, and is working to recover the funds.

Venus Protocol community delegate Danny Cooper dismissed reports that the lending protocol had been hacked as “fake news,” telling Decrypt that, “A user falling victim to a phishing attack does not mean the protocol was drained. It was the user’s wallet that got compromised, not Venus.”

Cooper added that initial analysis from security firm ZeroShadow suggests that the “attack fingerprint” strongly points to the attackers being from the Democratic People’s Republic of Korea.

North Korean scammers are rife in crypto, with centralized exchange Binance claiming it fends off phishing attempts from the region every single day. Lazarus Group, one of the most notorious hacker outfits in the world, is located in North Korea. According to the FBI, the group was responsible for the infamous $1.4 billion Bybit hack in March—the largest hack in crypto history.

How phishing scams work

Phishing scams involve tricking users into approving malicious transactions by imitating trusted platforms. “They succeed because they exploit human trust and urgency,” Hakan Unal, Senior Security Operations Center Lead at Cyvers, told Decrypt, adding that they usually take place during airdrops and token launches.

According to Cyvers, the attack likely came at the hands of a website that looked like a trusted site, with minor changes in the domain. The victim then approved a malicious transaction, which resulted in their funds being drained from their wallet.

Following the suspicious transfer, Cooper said, Venus Protocol’s security mechanism was triggered, and the protocol was paused. He said this appears to have prevented the attacker from moving the Venus wrapped tokens from their wallet.

Venus Protocol is also in contact with the victim and is working with several security partners, including Binance Security, HexaGate, ChaosLabs, and ZeroShadow, to help recover the funds. However, Cooper explained, the team isn’t 100% certain that recovery will be possible at this moment.