$3.1 Million Stolen in Polymarket Supply-Chain Attack Amid Growing Scrutiny

Key Points

  • Attackers planted malicious code via a compromised third-party vendor, pulling roughly $3.1 million in PUSD from at least 11 wallets and converting it all to ETH.
  • This marks Polymarket’s second confirmed security breach within two months, with a $700,000 private key compromise having already hit the platform in May.
  • The hack landed in the same week a Wall Street Journal investigation exposed fake marketing videos and federal investigators reportedly began circling the platform.

$3 Million Drained Before the Platform Knew What Hit It

However, the day began normally enough for Polymarket. It was only when the company discovered that a vendor had been hacked and the problematic code was shut down that at least 11 users’ wallets were found to be empty, having lost about $3 million worth of cryptocurrency. This hack was pointed out by PeckShield, a blockchain analytics company, on X, while on-chain researcher Spectre put the loss at $2.94 million. Later, AMLBot, a blockchain intelligence company, put the figure at around $3.1 million. Bubblemaps, reviewing the wallet activity independently, confirmed fewer than 15 accounts were hit and called the damage “largely contained,” appending: “Great response by Polymarket.”

The company’s first public response came through its Polymarket Traders X account: “We’ve contained it and removed the affected dependency. We’re contacting impacted users and refunding them in full.” Growth Lead William LeGate backed the statement separately, confirming both the breach and the refund pledge. Spokesperson Connor Brandi confirmed to TechCrunch that funds had been stolen but declined to say anything further about how the attack unfolded or where the investigation stood.

The Door Left Open by a Third-Party Vendor

The smart contracts of Polymarket remained intact, along with the backend servers. The target of the hack attack was a third-party software provider which was running some code inside the web front-end of Polymarket, but the systems of this provider had previously been compromised without much attention drawn to this. Once the users entered the website and logged in with their wallets, there was a hidden script which generated the transaction approval prompts and sent them to attackers’ wallets. Nothing looked wrong until the money was already gone.

The stolen PUSD, Polymarket’s USDC-backed trading stablecoin, was converted into roughly 1,893 ETH and bridged from Polygon to Ethereum almost immediately, a deliberate routing that complicates any recovery effort. Elad Luz, Head of Research at Oasis Security, identified the nature of the vendor’s access as the point where this breach diverged from a typical dependency attack. Luz told SecureWorld: “From what we understand, Polymarket was using the services of a third-party software company to maintain their website, and that vendor got compromised. This makes a difference because it is an access given to a third party, possibly in the form of some identity. Applying anomaly detection or baselining to identities of external access is valuable here.”

However, the approach is nothing new. In December 2023, an attacker obtained the credentials of a Ledger employee for the npm package manager, which resulted in the distribution of a tainted JavaScript library which got incorporated into over 100 DeFi front-ends before being detected. The Polymarket hack operates on the same principle keep the protocol clean and use the delivery channel exploited by the actual users to exploit the protocol. Smart contract audits, however thorough, cannot see this coming.

A Pattern That Is Getting Harder to Explain Away

June’s frontend attack was not the first time Polymarket had to explain itself to users in 2026. As stated, in May, a blockchain security researcher called ZachXBT brought attention to a suspected hack involving Polymarket’s own wallet used to facilitate internal top-up and reward payments. According to on-chain evidence, the loss was valued somewhere around $520,000 – $700,000, while the platform’s developer account gave a concise explanation: “Findings indicate a private key compromise of a wallet used for internal top-up activities and not contracts or core infrastructure.” Before this, in December of 2025, after reports of stolen funds and suspicious login activities, Polymarket confirmed an incident on Discord, where they held the culprit responsible for the incident to be an unknown third-party login service. Earlier in March 2026, ZachXBT reported a possible hack where more than $520,000 was taken from two Polygon smart contracts. Three incidents across roughly six months are a sequence that stretches the idea of bad luck.

Seven Days That Stacked the Damage

The hack did not land on a clean slate. It was the third significant blow to hit Polymarket within a single week, arriving on the back of the momentum the platform had been building steadily through a period of rapid growth. The Wall Street Journal revealed on Sunday, June 22nd, that Polymarket had been paying online creators who were predominantly in their college years $2,000 to $3,000 each month to upload videos showing fictional wins while betting through copycat websites designed to look like the legitimate site. According to the report, more than 1,100 videos were reviewed by reporters, and not even a single one of the almost $1.9 million in winnings shown was from a real trade on the legitimate website.

In one such video, a creator was seen winning $100,000; however, the reality is that public documents show more than 50 users losing their money on the same bet. Polymarket responded by promising a “comprehensive audit of active promotional content” to ensure compliance with its standards and applicable legal requirements, as reports of a federal investigation emerged. The hack arrived four days after the WSJ story broke. For a platform where combined monthly trading volume with rival Kalshi had climbed from under $5 billion to roughly $24 billion between September 2025 and April 2026, a $3 million theft is arithmetically minor. The problem is not the number; it is what the number landed on top of.

Regulators Were Already at the Door

The hack found a platform that had been managing regulatory pressure from multiple directions for months. Spain’s Ministry of Consumer Affairs moved in May, opening a sanctioning file and ordering a precautionary site block after concluding Polymarket was operating without a gambling licence. France, Belgium, Poland, Italy, and India had already put restrictions in place on similar grounds. In the United States, the pending Crypto Clarity Act and an active CFTC probe represent the most direct regulatory threat the platform faces on its home turf. The EU’s MiCA regime is now fully enforced, and FATF and OECD compliance standards are tightening around anti-money laundering and tax reporting globally. Polymarket’s Panama entity, the vehicle through which it serves non-US users, does not sit neatly against any of it.

Expert Analysis

Three million dollars is not a catastrophic number for a platform moving tens of billions in monthly volume, and the refund pledge caps the immediate financial exposure for affected users. What no reimbursement policy covers is the sequence itself: a supply-chain breach, a fake marketing scandal, a federal probe, and a governance dispute revealing that nine anonymous wallets control resolution power on the platform, all colliding in a single week. Each item alone would be a news cycle. Together, they represent a trust problem with compound interest. Security experts have pointed for years to browser-layer exposure as the vulnerability that the industry consistently under-addresses. Smart contract audits cannot find a malicious frontend script. Hardware wallet verification, rigorous transaction confirmation, and vendor dependency audits are what protect users at this layer, and none were sufficiently visible at Polymarket before the breach. The platform’s growth story is not over. The question sitting in front of it now is whether users who specifically value prediction markets for their reliance on transparent, verifiable information will keep placing that trust in a platform whose own practices have spent a week under scrutiny.

Home Menu