bZx Protocol lost $55M when a developer's private keys were compromised via a phishing email containing a malicious macro.
A bZx developer received a phishing email with a malicious Microsoft Word document. Opening the document executed a macro that exfiltrated the developer's mnemonic seed phrase for their cryptocurrency wallets. The attacker used these keys to drain bZx protocol's BSC and Polygon deployments, plus a portion of Ethereum holdings, across multiple transactions.
Stolen funds moved across chains via bridges before being deposited into Tornado Cash. bZx team identified the attack vector as a phishing email with malicious macro. The incident highlighted the risk of personal device compromise in DeFi teams. bZx pivoted to community-governed DAO structure post-hack. No recovery of funds.