bZx Phishing Attack Led to $55 Million Theft

Reading Time: 2 minutes
  • The bZx team has explained that a phishing attack on a developer caused the $55 million hack last week
  • The hack saw the private key to tokens from a number of wallets being stolen
  • The incident is the latest in a catalogue for bZx

DeFi protocol bZx has stated that the theft of $55 million worth of tokens was down to a developer being the victim of a phishing attack rather than an exploit of the protocol. The protocol, which has experienced an unusual amount of incidents in the past two years, said in a post mortem that a developer was targeted with a phishing attack that had recently struck a bZx user, with BZRX, USDC and USDT tokens with an estimated value of some $55 stolen. The exchange has taken steps to freeze the addresses associated with the tokens while reassuring users that the platform’s smart contracts had not been exploited.

bZx Developer Fell for Phishing Attack

bZx first acknowledged that something was wrong on Friday when the team tweeted that “the private key controlling the Polygon and BSC deployments was compromised, leading to loss of funds”, although they stated that the fundamental operations of the exchange were not compromised. In an attempt to reassure users, the team was also quick to add that the DAO treasury had more than enough to cover the loss.

In the post mortem, posted later on Friday, the bZx team outlined how the hack had occurred:

A bZx developer was sent a phishing email to his personal computer with a malicious macro in a Word document that was disguised as a legitimate email attachment, which then ran a script on his Personal Computer. This led to his personal mnemonic wallet phrase being compromised.

They then explained what had occurred following the attack:

  • The hacker stole BZRX on BSC and Polygon using the private key then deposited some of the stolen BZRX funds to be used as collateral to borrow against other funds on the protocol
  • BZRX deployment on Ethereum was not affected and no funds were stolen
  • Funds held in the Polygon and BSC deployment were drained
  • A limited number of users who had approved the unlimited spend had funds stolen from their wallet
  • The developers wallet had all funds drained from their wallet

The bZx team added that they were in possession of the IP address of the hacker and sent the details to KuCoin to see if they could be identified. As is now standard in situations such as this, bZx reached out to the attacker to see if they would hand back the tokens for a potential reward and to avoid potential legal action.

Share