Polymarket Loses $3M In Frontend Hack, Then Promises Full Repayment

Polymarket said it will fully repay users after a compromised vendor script drained about $3 million from fewer than 15 accounts.

Key Points:

Polymarket Hack

Polymarket confirmed Friday that attackers used a compromised third-party vendor to place malicious code in its frontend, exposing some users to a wallet-draining attack.

The breach was first flagged by on-chain security researcher Specter, who said an apparent phishing campaign had drained funds from more than 11 wallets holding PUSD (PUSD), Polymarket’s stablecoin.

Specter estimated the losses at $2.94 million, while PeckShield later confirmed a similar figure and said the attacker bridged funds from Polygon (POL) to Ethereum (ETH), then converted them into 1,893 ETH.

The platform acknowledged the breach through its Polymarket Traders account on X, saying the affected dependency had been removed and that impacted users would be contacted directly.

“This morning we discovered a 3rd party vendor had been compromised, injecting a malicious script into our frontend for some users. We’ve contained it and removed the affected dependency,” it wrote. “We’re contacting impacted users and refunding them in full.”

Also Read: Anthropic Co-Founder Says AI’s First Real Job Shock Is Hitting Graduates

Security Fallout

William LeGate, who works closely with the platform, repeated that the issue had been resolved and said affected users would receive full compensation.

GoPlus Security described the incident as a supply chain attack, saying about 15 accounts were affected and losses totaled $3 million.

Bubblemaps reached the same broad conclusion and praised Polymarket’s response after the funds were drained and the exploit was contained.

The latest breach adds pressure because it follows another incident last month, when an admin wallet used for employee reward top-ups lost about $700,000, likely through a private key compromise.

Crypto sleuth ZachXBT first estimated that earlier loss at about $520,000, before Bubblemaps later cited the higher figure after tracking funds across several addresses.

Developer Josh Stevens said a 6-year-old private key had been exposed through internal configuration, after which the company rotated credentials and moved to key management services.

Both breaches affected systems around the prediction markets rather than the markets themselves, but they arrived during a difficult period for the company. The Wall Street Journal recently reported that Polymarket paid college-age creators $2,000 to $3,000 per month to post staged betting videos, and another trader claimed this month that rule changes tied to a Strategy Bitcoin sale market cost them $500,000.

Read Next: North Korea’s BlueNoroff Hackers Used AI-Generated Fake Zoom Calls To Breach 100 Crypto Executives