Malware Spread via Fake Polymarket Trading Bot Targets DeFi Developers

Malware Spread via Fake Polymarket Trading Bot Targets DeFi Developers

First seen 2 Jul 2026, 18:59 UTC CryptopolitanMexc 98% similarity 78.5
Share:

Article Content

Browse articles
ThreatCluster

On July 1, 2026, security firm SlowMist identified a fake trading bot on GitHub designed to spread malware targeting Polymarket users and DeFi developers. The bot, named 'polymarket-arbitrage-bot', was promoted as a lucrative investment tool, claiming potential earnings of over $80,000 annually. It contained 30 malicious npm packages that were downloaded by at least 53 developers before being flagged. The malware, hidden within a dependency called 'clob-client-math', steals sensitive data such as wallet keys and browser passwords. The attack is believed to be part of a larger campaign by North Korean hackers known as 'Contagious Trader'. Users who installed the bot are advised to treat their systems as compromised and take immediate security measures. This incident follows a series of attacks on Polymarket users, including a recent phishing scam that drained $2.94 million from multiple accounts.

Key Points: • A fake trading bot for Polymarket was used to distribute malware targeting developers. • At least 53 developers downloaded the malicious bot before it was flagged. • The attack is linked to North Korean hackers and is part of a broader campaign.

ThreatCluster AI

Timeline

2026-06-30
Phishing scam drains Polymarket accounts
A phishing attack resulted in the theft of $2.94 million from at least 11 Polymarket accounts, highlighting ongoing security issues.
Cryptopolitan
2026-07-01
Fake trading bot flagged by SlowMist
SlowMist identified a malicious trading bot on GitHub that targeted Polymarket users, spreading malware through npm packages.
Cryptopolitan
2026-07-01
Malware discovered in npm packages
30 malicious npm packages were found linked to the fake bot, affecting at least 53 developers who installed it.
Mexc

Community

Browse all →