The Weekly Grind (Jun 25–Jun 28): Polymarket's $3.1M Hack & Ethereum's Job Cuts
Polymarket hacked for $3.1M. Ethereum cuts 54 jobs. Crypto roles shift as markets shake.
Exploits, audits, bridge attacks, key compromises, and post-mortems. The state of crypto security and the auditors trying to keep up.
Polymarket hacked for $3.1M. Ethereum cuts 54 jobs. Crypto roles shift as markets shake.
A supply chain attack on a third-party frontend vendor drained $3.1 million in PUSD from 11 Polymarket wallets. Users never touched a phishing link. They just visited the site. Now the CFTC has opened an investigation into the company for deceptive marketing.
Resupply, a stablecoin lending protocol backed by Convex and Yearn Finance, was drained of $9.5 million via a donation attack on a freshly deployed vault. The attacker started with a $4,000 flash loan and used 1 wei as collateral to borrow 10 million stablecoins.
World leaders at the Évian G7 summit officially classified DPRK crypto heists as a weapons-financing threat. Seven nations. $6.75 billion stolen. Zero arrests.
Worldcoin rival Humanity Protocol lost $32M after a private key compromise tanked $H by 90%. On-chain investigator ZachXBT says the evidence looks like an inside job.
A 4-year-old bug in Zcash's Orchard privacy pool let anyone mint unlimited counterfeit ZEC undetected. Claude Opus 4.8 found it. An emergency hard fork fixed it. But due to Zcash's own privacy guarantees, it's cryptographically impossible to prove it was never exploited.
Security experts warn that nation-states are quietly harvesting encrypted institutional crypto data today — planning to decrypt it once quantum computers arrive. Bitcoin has no plan. Ethereum does. 6.9 million BTC hangs in the balance.
Gravity Bridge, the cross-chain protocol linking Ethereum to Cosmos, was drained of $5.4 million in a suspected signing key compromise. May 2026 is now the worst month for bridge exploits on record, with $328M stolen.
StablR, a MiCA-regulated European stablecoin issuer, was drained by an attacker who exploited a single compromised key to mint 13.5 million in unbacked USDR and EURR tokens. Both stablecoins are now frozen.
ZachXBT flagged suspicious drains from Polymarket's UMA CTF Adapter on Polygon. The culprit: a forgotten six-year-old private key still tied to live operations.
Echo Protocol on Monad was exploited via a compromised admin key — minting 1,000 fake eBTC worth $76.7M. The attacker could only cash out $816K before the team burned the rest. Here's what actually happened.
THORChain was drained across Bitcoin, Ethereum, BNB Chain, and Base simultaneously on May 15. RUNE dropped 12%, all trading and signing was halted, and the team still hasn't explained the attack vector.
The Ethereum Foundation, Ledger, MetaMask, Trezor, Fireblocks and WalletConnect just launched Clear Signing — an open standard that replaces the hex garbage users blindly approve with human-readable transaction descriptions. Bybit's $1.5B hack started with a blind signing. So did most of yours.
Bitcoin Core quietly patched its first-ever memory safety bug in late 2024, disguising the fix as a logging improvement. The vulnerability — now public — let miners remotely crash nodes running versions 0.14.0 through 28.x. Nearly half the network is still exposed.
A single obfuscated tweet tricked xAI's Grok into executing a $175K on-chain transfer — no private keys stolen, no smart contract exploit. Just a chatbot doing what it was told.
A coordinated attacker swept over 500 long-dormant Ethereum addresses, stealing ~$800K and routing funds through ThorChain. The compromise vector is still unknown — and your old wallets may not be safe.
April 2026 was the worst month in crypto hack history: 30 attacks, $625M drained, North Korea behind 76% of it. Now a developer is claiming DPRK trained an AI to autonomously exploit DeFi — and the Wasabi Protocol's $5M multi-chain drain may be its latest hit.
DeFi United drops its technical rescue blueprint today, with Consensys, Aave, Compound, the Solana Foundation and 14 other protocols pledging $300M+ in ETH to re-collateralize rsETH after the $292M Lazarus-linked KelpDAO exploit. This is the most coordinated cross-protocol rescue in DeFi history.
A zero-day exploit in Litecoin's MimbleWimble privacy layer triggered a 13-block chain reorg, wiping three hours of transactions. Litecoin denied it was a zero-day. GitHub commits say otherwise.
Lazarus Group's new 'Mach-O Man' macOS malware is targeting crypto and fintech executives with convincing fake meeting invites, stealing keychain data and wallet credentials before erasing itself completely.
April 2026 is already the worst month for crypto hacks since February 2025. $606 million gone in 18 days. 3.7x the entire first quarter. Today, Congress is holding hearings. Here's what broke.
Hackers breached Vercel — the hosting backbone for thousands of DeFi apps — by exploiting a compromised third-party AI platform. API keys, tokens, and source code are on sale for $2M on BreachForums.
Kelp DAO's rsETH bridge was drained in minutes after an attacker forged LayerZero cross-chain messages. Bad debt cascaded across Aave, Compound, and Euler. It's 2026's biggest DeFi hack — so far.
Operation Atlantic, a joint US-UK-Canada law enforcement strike, froze $12M and traced $45M in crypto approval phishing fraud across 30+ countries. Here's what that means for the industry.
41 violent crypto kidnappings in 2026. France now has the worst crypto ransom attack rate in the world, and the interior ministry just admitted they've lost control.
Grinex — the sanctions-dodging successor to Russia's notorious Garantex — shut down after a $13M hack and blamed 'Western special services.' The irony is too rich.
A new 'canary address' proposal would only freeze 6.5 million vulnerable BTC — including Satoshi's coins — if a quantum computer actually proves it can break Bitcoin first. Adam Back says there's a better way.
Tether is bailing out Drift Protocol with $148M after North Korea's $285M heist — but the real play is quietly replacing Circle's USDC as Solana DeFi's settlement currency.
A fraudulent Ledger Live app slipped through Apple's review process, stayed live for roughly two weeks, and drained $9.5 million from 50+ victims before ZachXBT blew the whistle.
A forged cross-chain proof let an attacker mint 1,000,000,000 fake DOT tokens on Ethereum in a single transaction. Thin liquidity saved Polkadot. Twelve days earlier, Hyperbridge had posted an April Fools' joke about exactly this.
Drift Protocol confirmed today that the April 1 exploit wasn't opportunistic — DPRK-linked hackers spent six months attending crypto conferences, building real relationships, and depositing real money before draining $270M.
ZachXBT just published a damning thread showing Circle had the power to freeze $232M in stolen Drift Protocol funds — during business hours, over 6 hours — and chose not to. It's part of a pattern spanning $420M across 15 cases since 2022.
Drift Protocol, Solana's leading perpetuals DEX, was drained of up to $285M in a still-unconfirmed exploit on April 1 — and the attacker is still moving funds right now.
Google says breaking Bitcoin may need 20x fewer qubits than thought. 6.9M BTC already exposed. The race to hire post-quantum crypto engineers starts now.
512K lines of TypeScript and 44 feature flags exposed via npm. If your crypto team uses AI coding tools, your threat model just changed.
The Axios supply chain attack dropped a crypto-wallet-stealing RAT on 100M weekly installs. What happened, why AI missed it, and the security roles crypto needs now.