Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: crypto (3 articles)Clear

Polymarket users lose nearly $3 million in website supply-chain attack

The crypto prediction market Polymarket says attackers stole close to $3 million from users after compromising a third-party vendor and injecting a malicious script into the platform's website. The script ran on the live site and prompted users connecting their wallets to approve transactions that drained their funds; researchers traced roughly $2.94 million taken from around a dozen accounts and bridged into Ethereum. Because the attack rode in through a trusted frontend dependency rather than Polymarket's own systems, it was invisible to users. Polymarket removed the dependency, contained the incident, and pledged full refunds. It was the platform's second security incident in two months.

Check
Review the third-party scripts and dependencies loaded by your web frontends, and confirm you would detect unauthorized changes to them; users should be wary of unexpected wallet-signing prompts.
Affected
Web platforms that load third-party frontend dependencies, and their users; a single compromised vendor can inject wallet-draining or credential-stealing code that runs as trusted, first-party code in the browser.
Fix
Pin and integrity-check third-party scripts with Subresource Integrity, monitor frontend code for unauthorized changes, vet and limit vendor dependencies, and warn users to scrutinize every wallet-signing or credential prompt.

Rokarolla Android trojan hits 217 banking and crypto apps with full device control

Zimperium's zLabs has documented Rokarolla, a new Android banking trojan that targets 217 banking and cryptocurrency apps and accepts 137 remote commands, giving an operator near-total control of an infected phone. It lifts lock-screen PINs, reads and sends text messages to grab one-time codes, rewrites the clipboard to redirect cryptocurrency payments, and disables Google Play Protect. It spreads through malicious websites posing as popular apps like TikTok and Chrome, starting with a dropper disguised as Google Play Protect that abuses Accessibility permissions. The actual theft uses fake login overlays placed on top of real banking apps, and surveillance relies on quiet Accessibility screenshots.

Check
Ensure mobile users install apps only from official stores, keep Google Play Protect on, and treat any app requesting Accessibility access, especially a fake Play Protect prompt, as suspicious.
Affected
Android users who side-load apps from links or sites impersonating TikTok, Chrome, or other popular apps; customers of the 217 targeted banking and cryptocurrency apps are the financial target.
Fix
There is no patch since this is malware. Install only from official app stores, keep Play Protect enabled, deny Accessibility access to untrusted apps, and use mobile threat defense on managed devices.

Lazarus 'Mach-O Man' macOS malware kit hitting fintech and crypto execs through fake Telegram meeting invites and ClickFix terminal commands

ANY.RUN and Dark Reading published research on Mach-O Man, a new macOS malware kit Lazarus is deploying against fintech and crypto executives. The chain begins on Telegram with what looks like a legitimate meeting invite from a known contact, leading to a fake Zoom/Teams/Meet page that displays a fake 'connection issue' and instructs the executive to copy-paste a command into Mac Terminal. That ClickFix command grabs credentials, browser sessions, and Keychain data and exfiltrates over Telegram bot APIs. Lazarus has used the same template across the Drift and KelpDAO compromises, totaling more than $500M stolen in two weeks.

Check
Brief executive, finance, and treasury staff who use Telegram for business communication this week. The lure is a meeting invite from someone they trust, not a cold approach.
Affected
macOS users in executive, finance, business development, and partner-relations roles - particularly those who use Telegram for business. The technique works because the user runs the command themselves, bypassing most preventive controls including macOS endpoint protection. Mach-O Man is not Lazarus-only; other criminal groups have already adopted the kit.
Fix
Train executives never to copy-paste a 'fix' command into Terminal at a meeting page's request, regardless of how legitimate the invite looks. Log and alert on Terminal launches that fetch and execute remote content via curl, wget, osascript, or bash. Hunt for processes in tight infinite loops with Keychain access. Consider Lockdown Mode for high-risk roles.