Cyber Incident Victim: bZx
Date:
Nov 2021
Location:
United States of America
Summary
A decentralized finance platform suffered a $55 million cryptocurrency theft after a developer fell victim to a phishing email containing a malicious Word document macro, compromising their personal computer. The attacker accessed private keys for Polygon and Binance Smart Chain integrations, draining platform funds and assets from users who had approved unlimited token spending permissions. The service disabled its interface to prevent further deposits while collaborating with exchanges to trace and freeze stolen assets, publicly urging the perpetrator to negotiate a bounty for fund recovery in line with previous high-profile DeFi restitution precedents.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On November 5, 2021, the decentralized finance (DeFi) platform bZx suffered a security breach resulting in the theft of approximately $55 million in cryptocurrency assets. The attack originated when a bZx developer received a phishing email containing a malicious macro embedded within a disguised Microsoft Word document attachment. Upon execution, the malware compromised the developer’s personal computer, enabling the attacker to access and drain the contents of the developer’s personal cryptocurrency wallet. The intruder further extracted two private keys stored on the compromised device, which were utilized by bZx for operational integrations with the Polygon and Binance Smart Chain (BSC) blockchains. Using these keys, the attacker initiated unauthorized transactions to siphon funds from bZx’s Polygon and BSC reserves. Additionally, a limited number of user accounts that had previously granted unlimited spending permissions for the affected tokens were also drained during the exploit. Blockchain security firm SlowMist analyzed the malicious transactions and estimated losses exceeding $55 million, though bZx noted its internal investigation into the precise total remained ongoing at the time of its initial public statement.
In response to the breach, bZx immediately disabled its website’s user interface to prevent new deposits and mitigate further exposure. The platform engaged cryptocurrency exchanges to trace the movement of stolen assets and attempt freezing or recovery efforts. Publicly, bZx issued a direct appeal to the attacker via a message embedded in its post-mortem update, encouraging communication with its decentralized autonomous organization (DAO) at a specified email address to discuss fund return and a potential bounty—a strategy reminiscent of the PolyNetwork incident months earlier, where a hacker ultimately returned $600 million in stolen assets. The company did not disclose technical specifics regarding detection timelines or internal containment procedures beyond confirming the compromise of two private keys and the phishing vector. The incident ranked as the fifth-largest cryptocurrency theft recorded in 2021 based on publicly available valuations at the time. No user reimbursement plans or additional operational disruptions were detailed in the immediate aftermath beyond the UI suspension and ongoing coordination with exchanges.