Hacker steals $55 M from bZx DeFi platform
$55 million worth of cryptocurrency have been stolen from the bZx decentralized finance (DeFi) platform. The decentralized finance (DeFi) platforms allow users to borrow/loan and speculate on cryptocurrency price variations.
The threat actors managed to obtain two private keys for the DeFi platform through spear-phishing attacks. The company stated that the incident was not a protocol hack.
According to the company, a bZx developer had his personal wallet’s private keys taken in a phishing attack. The developer was sent a phishing email to his personal computer with a malicious macro in a Word document which was disguised as a legitimate email attachment. This attack gave the hacker access to the content of the bZx Developers wallet, and also the private keys to the BSC and Polygon deployment of bZx Protocol. After gaining control of BSC and Polygon the hacker drained the BSC and Polygon protocol, then upgraded the contract to allow draining of all tokens that the contracts had given unlimited approval.
The phishing message used a weaponized Word document which when opened once ran a script on the developer’s computer permitting the attackers to access the employee’s mnemonic wallet phrase.
The hackers stole funds in the developer’s personal wallet along with the two private keys that were being used by the bZx platform for its integration with the Polygon and Binance Smart Chain (BSC) blockchains.
They not only used the keys to steal the platform’s Polygon and BSC funds, but also to steal funds from a small number of users who approved unlimited spend operations.
The exact amount of stolen funds is not disclosed by bZx, but according to experts at blockchain security firm SlowMist, the threat actors have stolen more than $55 million.
The platform has taken the following actions in response to the incident.
- Contacted Banteg and Mudit Gupta to join in the war room.
- Contacted Tether and froze USDT from the hacker’s wallet.
- Contacted Binance and froze the BZRX that was stolen on BSC to prevent it from being transferred.
- Contacted KuCoin and identified that one of the hacker’s wallets was used to transfer in and out of the exchange.
- Disabled the UI on Polygon and BSC to prevent users from depositing.
- Contacted USDC and requested to freeze USDC in the hacker’s wallet.
- Contacted KuCoin to identify the hacker’s KuCoin account.
bZx promised a bounty to the attackers in case they return the stolen funds.
The post Hacker steals $55 M from bZx DeFi platform first appeared on Cybersafe News.
