The crypto prediction market Polymarket says attackers stole close to $3 million from users after compromising a third-party vendor and injecting a malicious script into the platform's website. The script ran on the live site and prompted users connecting their wallets to approve transactions that drained their funds; researchers traced roughly $2.94 million taken from around a dozen accounts and bridged into Ethereum. Because the attack rode in through a trusted frontend dependency rather than Polymarket's own systems, it was invisible to users. Polymarket removed the dependency, contained the incident, and pledged full refunds. It was the platform's second security incident in two months.
Zimperium's zLabs has documented Rokarolla, a new Android banking trojan that targets 217 banking and cryptocurrency apps and accepts 137 remote commands, giving an operator near-total control of an infected phone. It lifts lock-screen PINs, reads and sends text messages to grab one-time codes, rewrites the clipboard to redirect cryptocurrency payments, and disables Google Play Protect. It spreads through malicious websites posing as popular apps like TikTok and Chrome, starting with a dropper disguised as Google Play Protect that abuses Accessibility permissions. The actual theft uses fake login overlays placed on top of real banking apps, and surveillance relies on quiet Accessibility screenshots.
ANY.RUN and Dark Reading published research on Mach-O Man, a new macOS malware kit Lazarus is deploying against fintech and crypto executives. The chain begins on Telegram with what looks like a legitimate meeting invite from a known contact, leading to a fake Zoom/Teams/Meet page that displays a fake 'connection issue' and instructs the executive to copy-paste a command into Mac Terminal. That ClickFix command grabs credentials, browser sessions, and Keychain data and exfiltrates over Telegram bot APIs. Lazarus has used the same template across the Drift and KelpDAO compromises, totaling more than $500M stolen in two weeks.