Blockchain security firm SlowMist has estimated that $55 million (USD) or more in cryptocurrency was stolen by cyber criminals from the bZx Decentralized Financing (DeFi) platform. bZx publicly disclosed that one of their platform developers clicked on a phishing email attachment that contained a malicious macro embedded into it. The later stages of the attack emptied the developer’s personal cryptocurrency wallet and stole private keys that were being utilized by the platform for integration with the Polygon and Binance Smart Chain (BSC) blockchains. As a result, criminals were able to use these private keys to steal cryptocurrency from the Polygon and BSC funds, as well as from any users who enabled unlimited spending tokens for Polygon and BSC on their accounts. bZx has said it is working with cryptocurrency exchanges to track the attacker and freeze exchanges in an effort to return as many of the stolen funds as possible.
bZx has made a public announcement that it is willing to pay a bounty to the alleged perpetrators if the funds are returned. This strategy was successfully pursued in the larger $600 million (USD) hack of PolyNetwork earlier this year. In that incident, all of the stolen funds were returned in exchange for a legally paid bug bounty and a contract that would discourage law enforcement prosecution. It remains to be seen whether the alleged criminals behind the bZx theft respond favorably to this announcement. The ease of this theft illustrates that is essential that private keys for production environments are protected and separated from development and other work environments.
#bZx private key compromised, over $55 million dollars stolen so far. We’ll continue to update as more information is discovered. @RektHQ @ChainNewscom @bZxHQ https://t.co/SM6WWDt06J pic.twitter.com/39S05IiBFr
— SlowMist (@SlowMist_Team) November 5, 2021