Hackers hit bZX DeFi platform, stealing millions of dollars of crypto

(Image credit: Pexels)

A phishing attack has led to a hacker getting their hands on cryptocurrency estimated to be worth about $55 million.

The spear-phishing attack on an employee of decentralized finance (DeFi) platform bZx, which allows users to borrow, loan, and speculate on cryptocurrency price variations, gave attackers two private keys that were used by the platform for its integration with the Polygon and Binance Smart Chain (BSC) blockchains.

“After gaining control of BSC and Polygon the hacker drained the BSC and Polygon protocol, then upgraded the contract to allow draining of all tokens that the contracts had given unlimited approval,” noted the platform in its initial investigation into the incident.

TechRadar needs yo...

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> Click here to start the survey in a new window <<

While bZx is yet to comment on the amount of funds that have been stolen, reporting on the incident, blockchain security firm SlowMist estimates the figure will be north of $55 million, based on the malicious transactions it has detected.

Million dollar heist

According to the platform, it appears a bZx developer was sent a phishing email with a malicious macro in a Microsoft Word document, disguised as a legitimate email attachment. The tainted attachment ran a script that gave the attackers the developer’s personal mnemonic cryptocurrency wallet phrase.

The attack then escalated once the hackers got hold of the two private keys. In addition  to the developer’s funds, the attack has also impacted lenders, borrowers, and farmers with funds on Polygon and BSC, and those who had given unlimited approvals to those contracts. 

As the platform works to gather the specific list of wallets that were affected, it has disabled the ability to deposit new funds. bZx also said that it is working with various cryptocurrency exchanges to “track the attacker, and freeze, and potentially recover the stolen funds.”

In addition, the platform has also put out a message requesting the attacker to return the funds in lieu of a bounty, in the same vein as the PolyNetwork incident, which saw the hacker return all $600 million worth of stolen cryptos. 

Protect the computers in your network from such compromises with the help of these best endpoint protection tools

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.