A hacker has stolen an estimated $55 million worth of cryptocurrency assets from bZx, a decentralized finance (DeFi) platform that allows users to borrow, loan, and speculate on cryptocurrency price variations.
“A bZx developer was sent a phishing email to his personal computer with a malicious macro in a Word document that was disguised as a legitimate email attachment,” the company said in a preliminary post mortem of the attack published on Friday night, hours after the hack.
The platform released a statement stating that the email attachment ran a script on the developer’s computer which compromised the employee’s mnemonic wallet phrase. The hacker then proceeded to siphon until empty the developer’s personal wallet. Included in the theft were two private keys from the employee’s computer. Both keys were used by the platform for integrating with Polygon and Binance Smart Chain (BSC) blockchains.
After obtaining the keys, the thief proceeded to steal the platform’s Polygon and BSC funds. They also stole funds from a small number of users who approved unlimited spend operations.
While bZx said it’s still calculating the exact amount of stolen funds, blockchain security firm SlowMist has the predicted amount at more than $55 million, based on the malicious transactions it detected.
#bZx private key compromised, over $55 million dollars stolen so far. We’ll continue to update as more information is discovered. @RektHQ @ChainNewscom @bZxHQ https://t.co/SM6WWDt06J pic.twitter.com/39S05IiBFr
— SlowMist (@SlowMist_Team) November 5, 2021
In the aftermath of the hack, bZx said it disabled its website’s UI to prevent users from depositing new funds and was working with various cryptocurrency exchanges to track the attacker and freeze and potentially recover the stolen funds. bZx has asks the hackers for their funds back and promised to pay a bounty. In addition, the DeFi platform has also put out a message directly addressed to the hacker:
We encourage this individual to reach out to the DAO at hello@bzx.network to discuss returning the funds and potential bounty.
bZx is hoping for a repeat of the PolyNetwork incident, where the attacker returned all the $600 million stolen funds back to the company after similar negotiations. The bZx incident currently joins the list at #5 as one of the largest cryptocurrency heists that have taken place this year.
