The spear-phishing attack on an employee of decentralized finance (DeFi) platform bZx, which allows users to borrow, loan, and speculate on cryptocurrency price variations, gave attackers two private keys that were used by the platform for its integration with the Polygon and Binance Smart Chain (BSC) blockchains.
“After gaining control of BSC and Polygon the hacker drained the BSC and Polygon protocol, then upgraded the contract to allow draining of all tokens that the contracts had given unlimited approval,” noted the platform in its initial investigation into the incident.
While bZx is yet to comment on the amount of funds that have been stolen, reporting on the incident, blockchain security firm SlowMist estimates the figure will be north of $55 million, based on the malicious transactions it has detected.
Million dollar heist
According to the platform, it appears a bZx developer was sent a phishing email with a malicious macro in a Microsoft Word document, disguised as a legitimate email attachment. The tainted attachment ran a script that gave the attackers the developer’s personal mnemonic cryptocurrency wallet phrase.
The attack then escalated once the hackers got hold of the two private keys. In addition to the developer’s funds, the attack has also impacted lenders, borrowers, and farmers with funds on Polygon and BSC, and those who had given unlimited approvals to those contracts.
As the platform works to gather the specific list of wallets that were affected, it has disabled the ability to deposit new funds. bZx also said that it is working with various cryptocurrency exchanges to “track the attacker, and freeze, and potentially recover the stolen funds.”
In addition, the platform has also put out a message requesting the attacker to return the funds in lieu of a bounty, in the same vein as the PolyNetwork incident, which saw the hacker return all $600 million worth of stolen cryptos.
Protect the computers in your network from such compromises with the help of these best endpoint protection tools