Hacker steals $55 million from bZx DeFi platform
Image: The Record, bZx
Catalin Cimpanu November 6, 2021

Hacker steals $55 million from bZx DeFi platform

Catalin Cimpanu

November 6, 2021

Hacker steals $55 million from bZx DeFi platform

  • Hacker spear-phished a bZx employee and stole two private keys for the DeFi platform.
  • The private keys were used for bZx's integration with the Polygon and Binance Smart Chain blockchains.
  • bZx on Twitter: "Our treasury is robust and our community will decide a compensation package."

On November 12, security firm Kaspersky attributed this hack to a North Korean hacking group known as BlueNoroff, a group with a long history of targeting cryptocurrency exchanges and DeFi platforms. Original article below.

A hacker has stolen an estimated $55 million worth of cryptocurrency assets from bZx, a decentralized finance (DeFi) platform that allows users to borrow, loan, and speculate on cryptocurrency price variations.

“A bZx developer was sent a phishing email to his personal computer with a malicious macro in a Word document that was disguised as a legitimate email attachment,” the company said in a preliminary post mortem of the attack published on Friday night, hours after the hack.

bZx said the email attachment ran a script on the developer’s computer that compromised the employee’s mnemonic wallet phrase.

The attacker then proceeded to empty the developer’s personal wallet and then stole two private keys from the employee’s computer that were being used by the bZx platform for its integration with the Polygon and Binance Smart Chain (BSC) blockchains.

The hacker then used these keys to steal the platform’s Polygon and BSC funds, along with the same funds from a small number of users who approved unlimited spend operations for the two tokens in their accounts.

While bZx said it’s still investigating the exact amount of stolen funds, blockchain security firm SlowMist put the sum at more than $55 million, based on the malicious transactions it detected.

In the aftermath of the hack, bZx said it disabled its website’s UI to prevent users from depositing new funds and was working with various cryptocurrency exchanges to track the attacker and freeze and potentially recover the stolen funds.

bZx asks hacker for their funds back; promises a bounty

In addition, the DeFi platform has also put out a message directly addressed to the hacker:

We encourage this individual to reach out to the DAO at [email protected] to discuss returning the funds and potential bounty.

bZx is hoping for a repeat of the PolyNetwork incident, where the attacker returned all the $600 million stolen funds back to the company after similar negotiations.

The bZx incident currently joins the list at #5 as one of the largest cryptocurrency heists that have taken place this year:

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.