Polymarket is actively contacting and fully refunding victims affected by a frontend website exploit that drained approximately $3 million from user accounts. The decentralized prediction market confirmed that a compromised third-party vendor allowed hackers to inject malicious scripts, tricking users into authorizing unauthorized transactions.
Core Details of the Incident.
- What Happened: A third-party supplier was breached, letting hackers alter Polymarket’s website frontend and inject malicious code.
- Affected Assets: Attackers specifically targeted customer wallets containing pUSD (a platform-specific stablecoin), which were then swapped to ETH and consolidated into single wallet addresses.
- Financial Impact: Blockchain security and monitoring firms like PeckShield estimate losses at roughly $3 million affecting at least 11 user wallets.
- Resolution Status: The malicious dependency has been removed, and Polymarket has contained the breach. No underlying smart contracts were compromised in this specific attack.
Broader Context.
This event marks the second security incident on Polymarket in consecutive months. In a previous incident in May, an employee’s leaked private key resulted in a $700,000 drain affecting a wallet primarily used for top-ups and rewards.
Because of the platform’s commitment to making users whole, Polymarket is actively communicating with the individuals who had funds drained to execute full compensations. Following security-supply chain incidents across the broader Decentralized Finance (DeFi) space, users are highly advised to remain cautious of phishing attempts


