Polymarket confirmed Wednesday that attackers compromised one of its third-party vendors and injected a malicious script into the prediction market's frontend, with blockchain analyst Specter estimating that roughly $2.94 million was stolen from at least 11 user wallets.

"This morning we discovered a 3rd party vendor had been compromised, injecting a malicious script into our frontend for some users. We've contained it and removed the affected dependency. We're contacting impacted users and refunding them in full," the company posted on X.

Specter, an on-chain investigator, flagged outflows from over 11 victim wallets that held pUSD, the USDC-backed ERC-20 collateral token Polymarket uses for dollar-denominated bets on Polygon. The attacker swapped the stolen assets for ETH and consolidated proceeds to a primary address. That address held roughly 1,788.5 ETH, approximately $2.8 million, with 104.4 ETH already withdrawn at the time of publication.

William LeGate, Polymarket's growth lead, responded to Specter's post on X and said "There are no user losses," adding that Polymarket was refunding all affected users.

The attack appears to have targeted the website's interface rather than the core smart contracts. According to Blocknomi, attackers injected malicious JavaScript into the frontend that prompted affected users to sign or approve transactions when they connected their wallets. Some users on X separately reported unauthorized withdrawal transactions from their accounts. Polymarket did not disclose which vendor or dependency was compromised. Cointelegraph said it approached Polymarket for additional comment and did not receive a response before publication.

A second Polymarket incident within weeks

The frontend attack came roughly a month after Polymarket disclosed a separate $600,000 exploit traced to a six-year-old private key used for internal top-up operations. Josh Stevens, Polymarket's vice president of engineering, said at the time that the platform's contracts and user funds remained safe and that all permissions tied to the key had been revoked.

The two incidents arrive as Polymarket's total value locked has grown sharply. According to DefiLlama, the platform currently holds over $427 million in TVL, up around 300% from $112 million a year ago.

Where the attack sits in Q2's breach record

The Polymarket exploit was the 89th reported crypto security breach of the second quarter, according to DefiLlama, which would extend the most-hacked quarter on record by incident count.

June crypto exploit losses reached $74.9 million across 29 reported incidents, above May's $60.5 million total but far below April's $644 million. The largest June incident before the Polymarket attack was a $32 million exploit at Humanity Protocol. The Secret Network bridge saw $4.7 million drained. Two separate Aztec exploits totaled $4.2 million combined, and a Taiko bridge exploit accounted for another $1.7 million.

Over the 30 days preceding the Polymarket breach, private key compromises accounted for 43% of reported exploit losses across DeFi, making them the leading attack vector by loss share, per DefiLlama data. Fake proof exploits accounted for 10% of losses. Reverse MEV honeypots, which present deceptive trading opportunities to lure and manipulate automated trading bots, accounted for 8%.

The Polymarket supply-chain attack does not fit neatly into any of those three categories, as it relied on a compromised vendor dependency rather than a direct protocol or key vulnerability.

Multicoin Backs HYPE with $319 Price Call for 2028 | HODL FM NEWS
Multicoin Capital disclosed HYPE as one of its largest positions and set a $319 base-case target for 2028, calling the token deeply mispriced at $63.
hodl-post-imageHODL FM News: The Wildest Ride in the Crypto MarketKristian Koch
hodl-post-image

Disclaimer: All materials on this site are for informational purposes only. None of the material should be interpreted as investment advice. Please note that, despite the nature of much of the material created and hosted on this website, HODL FM operates as a media and informational platform, not a provider of financial advisory services. The opinions of authors and other contributors are their own and should not be taken as financial advice. If you require advice, HODL FM strongly recommends contacting a qualified industry professional.