--- title: "Polymarket Hack Exposes Users as $3M Stolen in Phishing Attack" date: 2026-06-26 author: "Kathleen Kinder" featured_image: "https://coinlaw.io/wp-content/uploads/2026/06/polymarket-hacked-for-3m-usd.jpg" categories: - name: "Cryptocurrency" url: "/crypto.md" tags: - name: "News" url: "/tag/news.md" --- # Polymarket Hack Exposes Users as $3M Stolen in Phishing Attack A phishing attack linked to a compromised third party vendor drained nearly $3 million from Polymarket users, prompting the prediction market platform to promise full refunds for everyone affected. ## Key Takeaways - Nearly $3 million worth of pUSD was stolen from at least 11 user wallets in a frontend phishing attack. - Polymarket said a compromised third party vendor injected malicious code into its website interface. - The platform has removed the malicious dependency and pledged to fully reimburse affected users. - The incident adds to growing concerns about crypto security as exploit activity continues to rise across the industry. ## What Happened? Decentralized prediction market **Polymarket** has confirmed that hackers stole nearly **$3 million** from users after compromising a third party service provider and injecting malicious code into the platform’s frontend. The attack, which security researchers described as a **supply chain attack**, affected fewer than 15 accounts and targeted users who interacted with the compromised interface. > This morning we discovered a 3rd party vendor had been compromised, injecting a malicious script into our frontend for some users. We’ve contained it & removed the affected dependency. We’re contacting impacted users & refunding them in full. > > — Polymarket Traders (@PolymarketTrade) [June 25, 2026](https://x.com/PolymarketTrade/status/2070155882906730671?ref_src=twsrc%5Etfw) ## Hackers Used Malicious Script to Drain User Wallets The incident first came to light after blockchain security researcher **Specter** identified suspicious transactions involving Polymarket’s **pUSD**, the platform’s USDC-backed trading currency. According to the researcher, the attack was a phishing campaign rather than an exploit of Polymarket’s smart contracts or prediction markets. The malicious script enabled attackers to drain funds from connected wallets after users interacted with the compromised frontend. Blockchain security company **PeckShield** later estimated the losses at around **$2.94 million**, adding that the attackers bridged the stolen funds from **[Polygon](https://coinlaw.io/polygon-statistics/)** to **[Ethereum](https://coinlaw.io/ethereum-statistics/)** before converting them into approximately **1,893 ETH**. The identity of the attackers remains unknown. ## Polymarket Promises Full Refunds In a statement posted on X, Polymarket confirmed the security incident and said the malicious code originated from a compromised third party vendor. “ This morning we discovered a 3rd party vendor had been compromised, injecting a malicious script into our frontend for some users. We’ve contained it & removed the affected dependency. We’re contacting impacted users & refunding them in full. Polymarket The company did not specify the exact number of affected users or the precise amount stolen, but several blockchain security firms estimated losses at roughly **$3 million**. **William LeGate**, who works closely with the platform, also confirmed that the issue had been resolved and reiterated that all impacted users would receive full compensation. Security firms **GoPlus Security** and **Bubblemaps** also classified the incident as a supply chain attack and praised Polymarket’s swift response after the malicious dependency was removed. ## Another Security Incident for Polymarket The latest breach comes only about a month after Polymarket disclosed another security incident involving an internal wallet. In that case, attackers exploited a **six year old private key** used for employee reward top ups and stole between **$600,000 and $700,000**, according to estimates from security researchers including **ZachXBT**, **PeckShield**, and **Bubblemaps**. Polymarket executives later said that incident did not affect user funds or [smart contracts](https://coinlaw.io/smart-contract-security-risks-and-audits-statistics/). The company revoked all permissions associated with the compromised key and migrated to improved key management systems. Although the two incidents used different attack methods, both targeted systems outside the platform’s core prediction market infrastructure. ## Crypto Exploits Continue to Climb The Polymarket breach also highlights the broader security challenges facing the crypto industry. According to **DefiLlama**, this was the **89th reported crypto security breach of the second quarter**, making it the highest quarterly total by incident count in the platform’s records. DefiLlama also reported **$74.9 million** in losses across **29 crypto exploits during June**, compared with **$60.5 million in May**. The data showed that **private key compromises accounted for 43 percent of exploit losses over the past 30 days**, underscoring the growing risks posed by weak operational security and third party dependencies. The latest hack also arrives as Polymarket faces additional scrutiny following reports from The Wall Street Journal about its creator marketing practices and recent complaints from users regarding market resolution decisions. ## CoinLaw’s Takeaway In my experience, this incident is another reminder that **crypto platforms are only as secure as the third parties they rely on**. Polymarket’s decision to fully reimburse affected users is likely to help preserve trust, but the attack shows that even platforms with secure smart contracts can still be exposed through vendors and frontend infrastructure. I found the rising number of supply chain attacks particularly concerning because they target users directly and are often harder to detect before funds are lost. Definition of Blockchain. Link to full glossary entry follows the description.**Blockchain**A distributed digital ledger that records transactions across a network, with each block cryptographically linked to the previous one for security. [Read more](https://coinlaw.io/glossary/blockchain/) Definition of Smart Contract. Link to full glossary entry follows the description.**Smart Contract**A smart contract is a self-executing program stored on a blockchain that automatically enforces agreement terms when predefined conditions are met, without intermediaries. [Read more](https://coinlaw.io/glossary/smart-contract/)