CoinDaily: Something fishy is going on with bZx

By Shawn R. Key, CEO, CYBR International (www.cybrinternational.com)

How does a multi-million dollar marketcap crypto company trade on Binance when it has no public offices, a CEO who doesn’t know the company’s own mailing address and which has lost nearly 94% of its value in six weeks due to a questionable “hack”?

bZx (bzx.network) is a crypto project which states that it is “A Protocol For Tokenized Margin Trading and Lending”. As of October 7, 2020, the market cap is shown to be $15,429,400 per Coingecko. The token trades at just under $.11 at this time of writing but traded as high as $1.74 about 6 weeks ago. What causes a token to lose roughly 94% of its value in six weeks’ time? Let’s take a look.

bZx has had its share of troubles for some time. According to bZx’s own report, the protocol was compromised for the first time on Feb. 14, 2020 when the team was at the ETHDenver industry event. The second attack, according to industry news outlet The Block, took place on Feb. 18, 2020.

The first hack resulted in hackers(s) running off with approximately $318,000. According to an in-depth analysis of the attack, the transaction with which the attacker opened the leveraged trade should have been prevented by safety checks, but those checks did not fire due to a bug in bZx’s smart contract. The team behind the protocol announced that the bug has been patched.

The second hack is a little more unclear but The Block estimated the loss to be 2,388 ETH (nearly $636,000). bZx said that the team neutralized the hack and prevent the loss of user funds like they did for the first hack. Furthermore, they promised that bZx developers would switch to oracles based on the Chainlink protocol, seemingly suggesting that it would make the system safer.

Fast forward to September 2020. And this is a doozy. It appears $8.1 million was initially lost in a new hacking attack, the third this year, caused yet again by a flawed code in its smart contracts.

The bug allowed the hacker to mint 219,200 LINK tokens (valued at $2.6 million); 4,503 ETH ($1.65 million); 1,756,351 USDT ($1.76 million); 1,412,048 USDC ($1.4 million) and 667,989 DAI (worth $681,000).

Marc Thalen, lead engineer at Bitcoin.com, first discovered the vulnerability in the smart contracts and reported it to Bzx, warning $20 million was at risk.

Now this is where things go off the rails. After public wrangling about whether this constituted a bug bounty or not (at question was a disputed reward as the hack was “in progress” when Thalen discovered the bad actor activity), bZx claimed to have agreed to a partial reward of about $45,000. Then, almost by magic, the company claimed the $8M was returned. The company soon stated afterward that law enforcement was involved and admins in the unofficial groups even claimed the perpetrator had been caught. So all should be well right? Not so fast.

Kyle Kistner, based in Atlanta, GA and co-founder of bZx stated publicly that the company could not divulge any minor information due to “legal reasons”. This seemed a bit odd is it’s common when a criminal I caught to have that person publicly outed in the media assuming he/she is an adult. That’s when I started making some calls and sent out email messages.

I initially reached out to Coindesk who spoke with me about this incident. They stated it smelled “fishy” but as Kyle and Tom Bean, based in San Diego, CA and also a co-founder of bZx would not comment further, they had nothing else to go on. They also stated that Mark Thalen had reached out before bZx had agreed to a partial bounty and that it was clear Mark was holding something over bZx’s head.

Kyle Kistner, co-Founder, bZx

Tom Bean, co-Founder, bZx

I then reached out to Mark Thalen directly who quickly became defensive and stated he would only support any comments made publicly by bZx. The smoke started to rise for me at this point.

I then reached out to a bZx who was highly knowledgable of the incident and whom willingly shared a ton of screenshots and answered nearly every question which he had information about.

He claimed Mark Thalen had basically blackmailed bZrx and that Kyle and Tom had reluctantly given him a partial reward to just resolve the bad press that bZx was getting from Mark’s public complaining on social media. This is where my expertise comes into play.

As the CEO of CYBR International, we do a LOT of ethical hacking and vulnerability assessments. Never in my 20 years of experience have I or an employee ever tried to extort money for passing along cyber security analysis and reporting. As Coindesk stated, something smelled “fishy”.

I requested a Telegram conversation with Kyle and Tom via a bZx admin. I explained who I was, why I was reaching out and shared my company credentials. The bZx admin set one up very quickly.

While I was waiting for Kyle and/or Tom to join, I asked a question:

007, [06.10.20 21:30]

We also are trying to obtain the physical address location for the company. As of now, all we have is what appears to be a Singapore based Profile Report and there is no corporate office address listed. This will not be shared in the article but among the group I have spoken with, no one had a record of your physical office location.

 

007, [06.10.20 21:30]

https://xangle.io/project/report/BZRX/en

 

Chris | bZx, [06.10.20 21:32]

We are a remote working company, no central office unless you want to count Tom or Kyle's home address haha

This company had a marketcap of nearly $141M less than six weeks ago but only work out of Tom and Kyle’s homes (haha).

Red flags went top everywhere. I continued.

 

007, [06.10.20 21:32]

Where does official correspondence get sent to?

 

Chris | bZx, [06.10.20 21:32]

I mean, I work from Australia and Tom and Kyle are in different parts of America last I checked.

 

[Speechless].

 

Chris | bZx, [06.10.20 21:33]

[In reply to 007]

@TOMbZx will know that one, he is the CEO

 

007, [06.10.20 21:33]

Kyle is in San Diego. I get that.

 

007, [06.10.20 21:33]

Tom is in Atlanta I believe

 

Kyle then popped in, typed “Tom…Check your messages” and disappeared.

Kyle KistnΞr | Fulcrum, [06.10.20 21:35]

Tom

 

Kyle KistnΞr | Fulcrum, [06.10.20 21:35]

Check your messages

 

007, [06.10.20 21:35]

Hello gentlemen

 

007, [06.10.20 21:39]

If a telephone call is preferred, that is do-able as well. I am happy to accomodate and want everyone to be as comfortable as possible with my requests. I am simply doing my job. :)

 

That’s when Tom Bean joined the Telegram session.

 

Tom Bean - bZx.network / fulcrum.trade, [06.10.20 21:53]

What’s your job?

 

Tom Bean - bZx.network / fulcrum.trade, [06.10.20 21:53]

Who do you work for and what’s the purpose of this? Please give some context

 

007, [06.10.20 22:00]

Sure. I am the ceo of a cyber security and forensics company. We are working with a media outlet who will be issuing an article. It’s only fair to give your company a chance to respond. I’m honest and above board. There are gaps here. I’ve presented my primary questions above. You certainly can decline comment. I think it would behoove everyone to answer these questions which frankly are simple requests. All I can do is ask.

 

007, [06.10.20 22:01]

I’ll say I don’t take a biased approach and only follow the trail where the facts lead.

 

007, [06.10.20 22:02]

I am not affiliated officially with LE or the FBI but I will say I’ve had two retired FBI CIOs on my board and have a relationship throughout the US with LE and joint task forces. Just being transparent

 

Tom Bean - bZx.network / fulcrum.trade, [06.10.20 22:03]

We’ve been quiet on the facts because there’s an on going police investigation. Not sure what breaking story they wish to publish but my impression from what you are saying is that it will be negative. We have nothing to hide. We are just waiting until the appropriate time.

 

007, [06.10.20 22:05]

I’m not trying to issue a negative article. You’ve claimed repeatedly there’s an investigation. Your admins have claimed publicly there was an arrest. My database requests from viable sources shows nothing in terms of a police criminal report in any jurisdiction in Atlanta or San Diego. And there is No federal file. So my simple question (and I won’t even follow up here) is which jurisdiction is the investigation ongoing?

 

Tom Bean - bZx.network / fulcrum.trade, [06.10.20 22:06]

That’s because this was an international incident. The attacker was not US based. We also never claimed there was an arrest.

 

Tom Bean - bZx.network / fulcrum.trade, [06.10.20 22:07]

We can blow this investigation up with facts. We are just waiting until the proper time. I feel like the article doesn’t have the best intentions.

 

007, [06.10.20 22:08]

Ok. I won’t press beyond this. Are you working with Interpol or a similar organization and if so, whom? Again, I am trying to get facts. I’m not assuming anything Tom.

 

007, [06.10.20 22:09]

My other 2 questions were easier. Is there a public wallet showing where the funds were returned to and are they still in that escrow? And lastly, what is BZX’s official correspondence address (the company address). That’s all I’m asking.

 

Tom Bean - bZx.network / fulcrum.trade, [06.10.20 22:16]

The funds are mostly back in the loan pools after receiving them back from the attacker. There are a small portion on their way back that are still tied up in the legal process. It’s late here and I’m on my phone but I can provide the wallet tomorrow. We’ve already provided this to others that have asked. We aren’t hiding anything. We also have a PO Box where correspondence can be sent. We don’t have a physical address. Our team is spread around the globe. I also don’t have it memorized and can provide it tomorrow.

 

007, [06.10.20 22:16]

I look forward to your follow up. Thank you for your time.

 

Tom Bean - bZx.network / fulcrum.trade, [06.10.20 22:16]

None of our users lost funds in this attack. All funds are recovered. Let me be clear about that.

 

007, [06.10.20 22:17]

If there is anything else you care to add, feel free. I won’t press with any other questions. Have a goodnight. Cheers.

 

Tom Bean - bZx.network / fulcrum.trade, [06.10.20 22:17]

Not sure why they hired you, I’m sure you are good at your job, but it’s a waste of time to try to find the team at fault. :)

 

Tom Bean - bZx.network / fulcrum.trade, [06.10.20 22:17]

We can back up all claims

 

007, [06.10.20 22:18]

And that’s all that I’m looking for. Appreciate you understanding the need for clarification and full disclosure

 

Tom Bean - bZx.network / fulcrum.trade, [06.10.20 22:18]

Thanks

 

The questions I posed are all reasonable. First, If the funds were returned, show the wallet address and prove to the public that the funds have been escrowed. This instills trust. And after three hacks, a budding project owes this to the community. Second, if you’re a multi million dollar market cap company trading on a major crypto exchange, how do you not have an office? How do you not know your PO Box, which let’s face it, is shady to begin with. Third, Why will you not state which jurisdiction the investigation is occurring in nor out the hacker(s)? This to me has the faint air of “inside job” and when you couple that with the questionable behavior of “bounty hunter” Mark Thalen, more questions than answers exist.

As a sidenote, no further correspondence was received from Kyle or Tom.

Let’s switch gears to Binance and the other exchanges bZx has listed on. If a project like this can be listed and millions of funds are at stake, where is the due diligence? No headquarters? No public incorporation address? The only information I readily found is a repot issued from a company in…Singapore. When we also dive deeper an look at the auditors who supposedly have given bZx the “greenlight”; with regards to their smart contract security, we discover that Peckshield and Certik have supposedly performed the audits. Both companies have strong ties to China. bZx claims that they have invested over $200,000 into audits. Clearly, after three hacks, this isn’t good enough.

bZx is exactly the kind of company that the U.S. has been working hard to keep U.S. investors away from. I cannot fathom how many other companies like bZx are out there on major exchanges creating major losses for their investment community by poor due diligence, insufficient cyber security and questionable corporate activity and directors. I don’t think this will be the end of this story as historically this is where I have seen law enforcement get involved. With recent charges filed against entities such as Arthur Hayes (Bitmex) and John McAfee, it would seem it is just a matter of time before more companies and persons are shut down and/or go to jail.

CYBR International is a U.S. based cyber security solutions and forensics/investigations company with close ties to the Intelligence Community (IC), Department of Homeland Security (DHS) and Law Enforcement. CYBR International reports on malicious code and associated bad actor activity in the crypto currency and critical missions vectors. CYBR
International incorporates solutions that collectively monitor over 1.5M global business 24/7. Visit us at www.cybrinternational.com for more information.

© 2020 CryptoDaily All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.