bZx reported that a developer received a phishing email with a malicious Word macro, leading to compromise of the developer's personal mnemonic wallet phrase. Because that externally owned account controlled bZx deployments on Polygon and BSC, the attacker was able to take over contracts, drain BZRX, and modify code so tokens could be extracted from wallets that had granted approvals to the affected contracts. SlowMist tracking cited losses of roughly $55 million, with stolen BZRX later bridged or used as collateral on Ethereum to borrow other assets. The incident shows how a simple phishing payload against a privileged developer can escalate into protocol-level loss when contract control depends on a single compromised key.