A phishing attack linked to a compromised third party vendor drained nearly $3 million from Polymarket users, prompting the prediction market platform to promise full refunds for everyone affected.
Key Takeaways
- Nearly $3 million worth of pUSD was stolen from at least 11 user wallets in a frontend phishing attack.
- Polymarket said a compromised third party vendor injected malicious code into its website interface.
- The platform has removed the malicious dependency and pledged to fully reimburse affected users.
- The incident adds to growing concerns about crypto security as exploit activity continues to rise across the industry.
What Happened?
Decentralized prediction market Polymarket has confirmed that hackers stole nearly $3 million from users after compromising a third party service provider and injecting malicious code into the platform’s frontend.
The attack, which security researchers described as a supply chain attack, affected fewer than 15 accounts and targeted users who interacted with the compromised interface.
This morning we discovered a 3rd party vendor had been compromised, injecting a malicious script into our frontend for some users. We’ve contained it & removed the affected dependency. We’re contacting impacted users & refunding them in full.
— Polymarket Traders (@PolymarketTrade) June 25, 2026
Hackers Used Malicious Script to Drain User Wallets
The incident first came to light after blockchain security researcher Specter identified suspicious transactions involving Polymarket’s pUSD, the platform’s USDC-backed trading currency.
According to the researcher, the attack was a phishing campaign rather than an exploit of Polymarket’s smart contracts or prediction markets. The malicious script enabled attackers to drain funds from connected wallets after users interacted with the compromised frontend.
Blockchain security company PeckShield later estimated the losses at around $2.94 million, adding that the attackers bridged the stolen funds from Polygon to Ethereum before converting them into approximately 1,893 ETH.
The identity of the attackers remains unknown.
Polymarket Promises Full Refunds
In a statement posted on X, Polymarket confirmed the security incident and said the malicious code originated from a compromised third party vendor.
The company did not specify the exact number of affected users or the precise amount stolen, but several blockchain security firms estimated losses at roughly $3 million.
William LeGate, who works closely with the platform, also confirmed that the issue had been resolved and reiterated that all impacted users would receive full compensation.
Security firms GoPlus Security and Bubblemaps also classified the incident as a supply chain attack and praised Polymarket’s swift response after the malicious dependency was removed.
Another Security Incident for Polymarket
The latest breach comes only about a month after Polymarket disclosed another security incident involving an internal wallet.
In that case, attackers exploited a six year old private key used for employee reward top ups and stole between $600,000 and $700,000, according to estimates from security researchers including ZachXBT, PeckShield, and Bubblemaps.
Polymarket executives later said that incident did not affect user funds or smart contracts. The company revoked all permissions associated with the compromised key and migrated to improved key management systems.
Although the two incidents used different attack methods, both targeted systems outside the platform’s core prediction market infrastructure.
Crypto Exploits Continue to Climb
The Polymarket breach also highlights the broader security challenges facing the crypto industry.
According to DefiLlama, this was the 89th reported crypto security breach of the second quarter, making it the highest quarterly total by incident count in the platform’s records.
DefiLlama also reported $74.9 million in losses across 29 crypto exploits during June, compared with $60.5 million in May.
The data showed that private key compromises accounted for 43 percent of exploit losses over the past 30 days, underscoring the growing risks posed by weak operational security and third party dependencies.
The latest hack also arrives as Polymarket faces additional scrutiny following reports from The Wall Street Journal about its creator marketing practices and recent complaints from users regarding market resolution decisions.
CoinLaw’s Takeaway
In my experience, this incident is another reminder that crypto platforms are only as secure as the third parties they rely on. Polymarket’s decision to fully reimburse affected users is likely to help preserve trust, but the attack shows that even platforms with secure smart contracts can still be exposed through vendors and frontend infrastructure. I found the rising number of supply chain attacks particularly concerning because they target users directly and are often harder to detect before funds are lost.
