Image credit: Shutterstock
Polymarket says hackers stole funds from some users after a compromised third-party vendor injected malicious code into parts of its website.
The prediction market platform said it has contained the incident, removed the affected dependency and started contacting users it plans to refund in full.
Vendor Breach Hit Polymarket Front End
Polymarket said the incident began with a third-party vendor, not with a confirmed exploit of its core market contracts. The compromised vendor allowed attackers to inject a malicious script into Polymarket’s front end for some users.
Users who interacted with the affected site could have been exposed during normal platform activity. The company has not named the vendor, said how long the code was active or disclosed the number of affected accounts.
Polymarket Says User Funds Were Stolen
A Polymarket spokesperson confirmed that user funds were stolen but did not provide further details on the breach. The company said its current response is focused on direct outreach and reimbursement rather than a full public technical post-mortem.
That leaves several open questions, including which dependency was affected, how long the malicious code was active and how many users were exposed.
Analysts Tracked About $3M in Losses
Blockchain security firm PeckShield said the attack was linked to a phishing campaign targeting Polymarket users. PeckShield said stolen funds were bridged from Polygon to Ethereum and swapped into about 1,893 ETH.
On-chain analyst Specter reported a similar loss figure and said more than 11 victims had been identified. The reported loss is near $3 million, though Polymarket has not publicly confirmed a final amount.
Refunds Would Limit User Losses
Polymarket said it will refund affected users in full. If completed, the refunds would limit the direct financial hit for traders whose wallets were drained through the compromised interface.
The move also gives the company room to contain user fallout while it reviews the supply-chain failure. Front-end compromises can be hard for users to detect because a platform can appear normal while malicious code changes transaction behavior in the background.
Prior $520K Incident Adds Scrutiny
The incident lands as prediction markets handle larger balances and more active trading across crypto-native rails. Polymarket had already faced questions over a separate May incident, when on-chain investigator ZachXBT flagged about $520,000 in drained funds from two Polygon contracts.
Polymarket said at the time that user funds were safe. This latest breach is different because Polymarket says users did lose funds. Its refund pledge limits the immediate damage, but the episode adds another security test for a platform operating at larger scale.
