Security researchers classified the incident as a supply chain attack rather than a flaw in Polymarket’s core contracts.
Polymarket confirmed Friday that a compromised third-party vendor allowed attackers to inject malicious code into its interface, draining around $3 million from fewer than 15 user accounts.
The platform says it will refund the full amount to all affected users.
What happened
The attack was first reported by on-chain security researcher Specter, who aware that an apparent phishing campaign had drained funds from more than 11 victim wallets containing Polymarket’s PUSD stablecoin.
At the time, they estimated the losses at $2.94 million, although PeckShield confirmed the figure shortly after and observing that the attacker had bridged the stolen funds from Polygon to Ethereum and converted them into 1,893 ETH.
The prediction market admitted non-compliance through one of its official accounts, Polymarket Traders.
“This morning we discovered that a third-party vendor had been compromised, injecting a malicious script into our interface for some users. We contained it and removed the affected dependency,” he wrote on X. “We are contacting affected users and will refund them in full.”
William LeGate, who works closely with the platform, echoed the news about the compensation, repeating that the problem had been resolved and that affected users would get their money back in full.
Another blockchain security account, GoPlus Security, described the incident as an attack on the supply chain. It said the malicious code affected about 15 accounts, with losses totaling $3 million, a conclusion also reached by Bubblemaps, which praised Polymarket’s response in containing the losses.
You may also be interested in:
A recurring problem
This is not the first time Polymarket has been affected. Last month, the platform revealed another breach in which an administrative wallet used for employee reward top-ups lost around $700,000, likely through a private key compromise. Cryptocurrency sleuth ZachXBT had initially estimated the losses at around $520,000, and Bubblemaps later cited the higher figure after tracing the funds to multiple addresses.
Developer Josh Stevens confirmed at the time that a 6-year-old private key had been exposed through an internal configuration and that the company had since rotated the credentials and moved to key management services. However, that incident did not affect user funds or master contracts.
While the two incidents involved different attack methods, both targeted systems outside of Polymarket’s prediction markets. Furthermore, the latest has come at a time when the platform is already experiencing other headwinds to its reputation, including a recent report from the Wall Street Journal, which claimed that it had paid college-age creators between $2,000 and $3,000 a month to post betting videos on fictional versions of the Polymarket website, and not even one of the more than 1,100 clips can be traced back to real blockchain activity.
There was also another controversy earlier this month when a trader claimed he had lost $500,000 after the prediction service allegedly changed the resolution rules for a market linked to Strategy’s Bitcoin sale.
Binance Free $600 (CryptoPotato Exclusive) – Use this link to register a new account and receive an exclusive welcome offer of $600 on Binance (full details).
LIMITED OFFER for CryptoPotato readers on Bybit: Use this link to register and open a FREE $500 position in any coin!
