The hack took place after one of the bZx’s employees was sent a phishing email embedded with a malicious macro hidden in an MS word document, which, when downloaded, ran a script allowing the attacker to obtain the developer’s personal mnemonic cryptocurrency wallet phrase.
A decentralized finance (DeFi) lending platform called bZx has suffered a hack attack causing a loss of approximately $55 million in cryptocurrency. As per a tweet posted by SlowMist, a blockchain security firm, the company’s private key got compromised, leading to the crypto heist.
Reportedly, bZx allows users to borrow or loan crypto. The platform has been on the radar of cybercriminals and suffered three hacks in 2020, out of which the third was the largest that occurred in September.
bZx could recover $8 million in cryptocurrency from that third attack, while in the other two attacks, the platform managed to recover $630,000 and $350,000, respectively. This time the total funds lost stand at $55 million. The company shared on Twitter that around 25% of these funds are “personal losses from the team wallet.”
Details of Attack
According to reports, the hacker could steal cryptocurrency worth $55 million after launching a spear-phishing attack on a bZx developer.
The employee was sent a phishing email embedded with a malicious macro hidden in an MS word document, which, when downloaded, ran a script allowing the attacker to obtain the developer’s personal mnemonic cryptocurrency wallet phrase.
The hacker(s) then obtained two private keys that the platform used to integrate with the Binance Smart Chain (BSC) and Polygon blockchains. After gaining control of the keys, the hacker drained both BSC and Polygon protocol and upgraded the contract so that all tokens to which the contracts have given unlimited approval could be drained.
It is suspected that the attack has impacted lenders, farmers, and borrowers apart from the developer’s funds. They also had funds stored on the two blockchains with unlimited approval to those contracts.
The DeFi protocol hasn’t yet responded to SlowMist’s estimation about the stolen funds. Still, it confirmed that an attacker stole millions in multiple cryptocurrencies and that one of its developers was trapped through a phishing attack. SlowMist shared a breakdown of the stolen funds on different wallets owned by the attack, which is as follows:
“The address with the most funds holds about $18.4 million, with other addresses having balances of $6 million, $13.8 million, $15.5 million, and $697.”
bZx is currently investigating and creating a list of affected wallets, while the new funds’ deposit feature on bZx is disabled. The company stated that it is tracking the attacker and freezing the stolen funds to make a recovery. For this, bZx has collaborated with different cryptocurrency exchanges. Additionally, the platform has posted a message requesting the hacker to return the funds in exchange for a bounty.