Hackers hit bZX DeFi platform, stealing millions of dollars of crypto

Cryptocurrencies
(Image credit: Pexels)
Audio player loading…

A phishing (opens in new tab) attack has led to a hacker getting their hands on cryptocurrency (opens in new tab) estimated to be worth about $55 million.

The spear-phishing attack on an employee of decentralized finance (DeFi) platform bZx, which allows users to borrow, loan, and speculate on cryptocurrency price variations, gave attackers two private keys that were used by the platform for its integration with the Polygon and Binance Smart Chain (BSC) blockchains (opens in new tab).

“After gaining control of BSC and Polygon the hacker drained the BSC and Polygon protocol, then upgraded the contract to allow draining of all tokens that the contracts had given unlimited approval,” noted (opens in new tab) the platform in its initial investigation into the incident.

TechRadar needs yo...

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> Click here to start the survey in a new window (opens in new tab) <<

While bZx is yet to comment on the amount of funds that have been stolen, reporting on the incident, blockchain security firm SlowMist estimates (opens in new tab) the figure will be north of $55 million, based on the malicious transactions it has detected.

Million dollar heist

According to the platform, it appears a bZx developer was sent a phishing email with a malicious macro in a Microsoft Word (opens in new tab) document, disguised as a legitimate email attachment. The tainted attachment ran a script that gave the attackers the developer’s personal mnemonic cryptocurrency wallet (opens in new tab) phrase.

The attack then escalated once the hackers got hold of the two private keys. In addition  to the developer’s funds, the attack has also impacted lenders, borrowers, and farmers with funds on Polygon and BSC, and those who had given unlimited approvals to those contracts. 

As the platform works to gather the specific list of wallets that were affected, it has disabled the ability to deposit new funds. bZx also said that it is working with various cryptocurrency exchanges to “track the attacker, and freeze, and potentially recover the stolen funds.”

In addition, the platform has also put out a message requesting the attacker to return the funds in lieu of a bounty, in the same vein as the PolyNetwork incident (opens in new tab), which saw the hacker return all $600 million worth of stolen cryptos. 

Protect the computers in your network from such compromises with the help of these best endpoint protection tools (opens in new tab)

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.