Key Takeaways:
- Hackers stole $2.9M from Polymarket users via a compromised third-party vendor.
- Polymarket said it contained the breach and will refund affected users in full.
- The incident marks the platform's second security breach in two months.
Back
Polymarket vendor hack drains $2.9M from 11 user wallets
Hackers drained approximately $2.9 million from at least 11 Polymarket users after a third-party vendor compromise injected malicious code into the prediction market's frontend.
Polymarket said on X that it had contained the incident and removed the affected dependency. "We're contacting impacted users and refunding them in full," the company wrote.
Blockchain analyst Specter identified the attack, estimating $2.94 million in losses across 11 victim wallets holding PUSD, Polymarket's dollar-pegged stablecoin. The stolen assets were bridged from Polygon to Ethereum and converted into roughly 1,893 ETH, a common laundering technique, according to on-chain data reviewed by Specter.
The breach caps a difficult period for Polymarket, which holds more than $450 million in total value locked, up 301% from a year ago, per DefiLlama. The company disclosed a separate $600,000 exploit last month tied to a compromised six-year-old private key used for internal operations. A Wall Street Journal investigation published Sunday also found Polymarket paid creators to post deceptive videos showing fabricated winnings.
The attack was the 89th reported crypto security breach of the second quarter, according to DefiLlama data, extending the most-hacked quarter on record by incident count. Crypto exploit losses reached $74.9 million across 29 reported incidents in June, surpassing May's $60.5 million total.
Polymarket's head of experience, William LeGate, said on X that the company is refunding affected users in whole and that there are no user losses. Blockchain investigations firm Bubblemaps concluded that fewer than 15 user accounts were affected.
The security failures come as Polymarket faces intensifying regulatory pressure. Spain blocked the platform in May over missing gambling licenses, joining France, Belgium, Poland, Italy and India in restricting access. A Google engineer was charged last month with insider trading after using internal search data to profit more than $1 million on the platform.
This article is for informational purposes only and does not constitute investment advice.
[1] Polymarket Third-Party Vendor Compromise Drains $2.9M from Users[2] Hackers Steal Funds From Polymarket Users, Potentially Millions - Gizmodo[3] Polymarket says hackers stole users’ funds[4] Hackers stole three million dollars from Polymarket users through a compromised third-party vendor[5] Polymarket to Refund Users After Scammers Swipe Millions in Website Exploit
