SlowMist: In-Depth Analysis of the $13 Million Venus User Hack

Root Cause

The sufferer mistakenly accessed a Zoom assembly hyperlink solid by the attacker and ran malicious code on their pc below the steering of the faux web site, leading to full machine management. With many related logs deleted, the evaluation confronted appreciable challenges. According to the sufferer’s recollection, they have been utilizing a widely known official browser extension pockets at the time and suspected that the attacker had tampered with the pockets code on their pc. As a outcome, the consumer’s supposed Venus asset redemption operation via a {hardware} pockets was altered right into a Venus place delegation operation, finally permitting the attacker to take over the consumer’s positions on Venus.

Detailed Analysis

The attacker leveraged social engineering, posing as a enterprise accomplice to lure the goal right into a Zoom assembly, sending the assembly hyperlink through Telegram. (Due to deleted chat data, the full course of couldn’t be absolutely reconstructed.) The sufferer clicked the hyperlink and joined the assembly.

Due to a scheduling battle with one other assembly, the sufferer entered unexpectedly and didn’t rigorously confirm the browser area as the official Zoom website. Meanwhile, the attacker, pretending to be a enterprise accomplice, frequently urged the sufferer throughout the assembly, stopping them from recognizing whether or not the improve immediate on the web site was malicious.

Eventually, the sufferer’s pc was absolutely compromised. For a reference on how such a tool takeover may happen, see the Unphishable Web3 phishing simulation platform (https://unphishable.io/) stage #NO.0x0036 for a whole problem train.