See More

An Estimated $55M Stolen in bZx Phishing Attack

2 mins
Updated by Kyle Baird
Join our Trading Community on Telegram

In Brief

  • A phishing attack was executed on a developer’s PC at bZx using an email attachment infected with a malicious macro.
  • The phishing attack compromised the private keys of the developer’s wallet.
  • The developer, lenders, borrowers, and farmers with funds on Polygon and Binance Smart Chain (BSC) were affected.
  • promo

On Nov 5, a bad actor managed to steal a trove of BZRX tokens and other cryptocurrencies on BSC and Polygon by using bZx private keys that were obtained in a phishing attack. The attacker was then able to deposit the stolen BZRX as collateral to borrow against other funds on the protocol.

bZx is an L2 DeFi margin lending protocol that runs on Ethereum, Polygon, and BSC. The deployment, governance, and DAO vault on Ethereum were not affected by the phishing attack, nor was the bZx smart contract.

The attack granted the hacker keys to the Polygon and BSC deployment of the bZx protocol and affected lenders, borrowers, and farmers, and those who had given unlimited approvals to those contracts. Funds were then removed from the BSC and Polygon implementation of bZx.

Blockchain ecosystem auditors Slowmist estimated the value of the lost funds to be in the region of $55M.

Timeline of the attack

bZx released a preliminary report on the attack method, timeline, and repercussions. Initially, a developer’s mnemonic wallet phrase was compromised.

Early on, bZx was notified of a negative balance in a user’s account and that utilization rates were high. Thereafter bZx determined there had been suspicious activity on the Polygon and BSC deployments, and tracked stolen funds to wallet addresses. The attacker moved the stolen funds throughout Binance, KuCoin, and Circle, who were notified to take mitigatory action.

Etherscan, a tool to view data on any pending or confirmed Ethereum blockchain transactions, revealed the addresses of the wallets containing the stolen funds.

Polygon:

0xafad9352eb6bcd085dd68268d353d0ed2571af89 (2 million BZRX)

BSC

0x74487eed1e67f4787e8c0570e8d5d168a05254d4 (10 million BZRX)

0x967bb571f0fc9ee79c892abf9f99233aa1737e31 (2.5 million BZRX)

0x0ACC0e5faA09Cb1976237c3a9aF3D3d4b2f35FA5 (Primary hacker wallet)

Ethereum:

0x74487eed1e67f4787e8c0570e8d5d168a05254d4 (10 million BZRX)

0x967bb571f0fc9ee79c892abf9f99233aa1737e31 (12 million BZRX) 

0x967bb571f0fc9ee79c892abf9f99233aa1737e31 (82K BZRX)

0x74487eEd1E67F4787E8C0570E8D5d168a05254D4 (4 million ETH, primary hacker wallet)

0x1ae8840ceaef6eec4da1b1e6e5fcf298800b46e6 (USDT was frozen, hacker wallet)

0xAfad9352eB6BcD085Dd68268D353d0ed2571aF89 ($1.4 million DAI, $243K USDC, $15m ETH, hackers wallet)

0x967bb571f0fc9ee79c892abf9f99233aa1737e31 (2 million ETH, hacker wallet)

0x6abcA33faeb7deb1E61220e31054f8d6Edacbc81 (1.5 million BZRX, hacker wallet, internal transactions from KuCoin) 

0x1Ae8840cEaEf6EeC4dA1b1e6e5FCf298800b46e6  (Hacker sent funds out from KuCoin to this address)

bZx response

bZx claims that it is working with law enforcement, exchanges, and investigators to identify the perpetrator and recover the stolen funds. It’s relaunching the Polygon and BSC deployments under Decentralized Autonomous Organization (DAO) control and are developing a compensation plan for affected users.

It’s also published a message to the attacker, encouraging them to return the stolen funds in return for a bounty. Users are reminded to revoke any bZx contract approval on Polygon or BSC.

An earlier bZx attack in February 2020 saw $500.000 in ETH stolen. After that, the DeFi lending protocol team worked to strengthen security on L2 by allowing an external audit of the core protocol.

Top crypto platforms in the US | April 2024
Coinbase Coinbase Explore →
AlgosOne AlgosOne Explore →
Chain GPT Chain GPT Explore →
iTrustCapital iTrustCapital Explore →

Trusted

Disclaimer

In adherence to the Trust Project guidelines, BeInCrypto is committed to unbiased, transparent reporting. This news article aims to provide accurate, timely information. However, readers are advised to verify facts independently and consult with a professional before making any decisions based on this content. Please note that our Terms and ConditionsPrivacy Policy, and Disclaimers have been updated.

David-Thomas.jpg
David Thomas
David Thomas graduated from the University of Kwa-Zulu Natal in Durban, South Africa, with an Honors degree in electronic engineering. He worked as an engineer for eight years, developing software for industrial processes at South African automation specialist Autotronix (Pty) Ltd., mining control systems for AngloGold Ashanti, and consumer products at Inhep Digital Security, a domestic security company wholly owned by Swedish conglomerate Assa Abloy. He has experience writing software in C,...
READ FULL BIO
Sponsored
Sponsored