Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 062Phishing / Social Engineering

bZx Developer Phishing

Phishing email with a malicious Word macro on a dev's machine let Lazarus-linked attackers drain $55M from bZx's Polygon and BSC deployments.

Date
Victim
bZx
Chain(s)
PolygonBNB Chain
Status
Funds Stolen
Attribution
Suspected Lazarus Group (DPRK)

On November 5, 2021, the DeFi lending protocol bZx lost approximately $55 million — its third major incident, after the two foundational flash-loan attacks in February 2020. This time the attack wasn't on the smart contracts. A bZx developer opened a phishing email with a malicious Word document, and an attacker rode the chain of compromise all the way to the protocol's signing keys.

What happened

A bZx developer received a phishing email impersonating a legitimate contact, with an attached Word document. Opening the document triggered a malicious macro that executed a script on the developer's personal computer. The script:

  1. Stole the mnemonic phrase for the developer's personal wallet — and emptied it.
  2. Extracted two private keys that the developer's machine was holding for bZx's Polygon and BNB Chain deployments.

The Polygon and BSC deployments used upgradeable proxy contracts controlled by these admin keys. With both keys in hand, the attacker:

  1. Upgraded the bZx proxy contracts to a malicious implementation that allowed arbitrary withdrawals.
  2. Drained the protocol's holdings on Polygon and BSC — approximately $55M across ETH-equivalent and stablecoin balances.
  3. As a bonus, swept the balances of users who had granted the bZx contracts unlimited token approvals, adding several million in further losses.

The bZx Ethereum deployment was untouched — the developer's compromised machine held keys only for Polygon and BSC, and the multi-sig governing the Ethereum contracts required additional signers.

Aftribution & aftermath

  • Kaspersky's analysis of the phishing email payload and laundering signature subsequently attributed the operation to North Korea's Lazarus Group, one of the earliest publicly-documented Lazarus operations against a pure-DeFi target.
  • bZx ultimately wound down lending operations after the third strike. The protocol survives in form (as Ooki DAO) but lost its standing as a serious DeFi lender.
  • Stolen funds were laundered through Tornado Cash; no public recovery.

Why it matters

bZx's November 2021 incident is foundational for two reasons:

  1. It was an early warning that DeFi was now squarely in the Lazarus crosshairs. Prior Lazarus operations had focused on centralised exchanges; the precise targeting of a DeFi developer with a customised phishing payload, and the operational sophistication of monetising the keys cross-chain, were a preview of the much larger operations to come at Harmony, Radiant Capital, and ultimately Bybit.

  2. The same protocol can survive any number of smart-contract exploits — and still be killed by an endpoint compromise. bZx's Solidity code wasn't compromised in November 2021. A laptop was.

The lesson — that admin keys belong on hardware wallets behind multi-sig, full stop, regardless of how convenient single-key signing is for development — is one the industry has paid hundreds of millions of dollars to learn, repeatedly, in the years since.

Sources & on-chain evidence

  1. [01]therecord.mediahttps://therecord.media/hacker-steals-55-million-from-bzx-defi-platform
  2. [02]coindesk.comhttps://www.coindesk.com/business/2021/11/05/defi-lender-bzx-suffers-hack-for-reported-55m
  3. [03]halborn.comhttps://www.halborn.com/blog/post/explained-the-bzx-hack-november-2021

Related filings