Polymarket Confirms Hackers Drained $3 Million From Users After Third-Party Breach

Prediction-market platform Polymarket said hackers stole roughly $3 million from users after a third-party vendor was compromised and malicious code was injected into its website. The incident has since been fully contained, and refunds are being initiated for affected users in full.

• Key Takeaways:
• • Polymarket said hackers stole about $3 million from 11-plus users via a compromised third-party vendor.
• • Peckshield traced the exploit to malicious frontend code that phished users into approving fraudulent transactions.
• • Polymarket has stated that it is refunding victims in full as prediction markets face growing security and regulatory scrutiny.

A Supply-Chain Attack, Not a Direct Breach

Polymarket disclosed that a compromise at one of its outside providers allowed attackers to slip malicious code into its frontend for some users. The tampered script powered a phishing campaign that tricked victims into approving fraudulent transactions, which then drained funds from their connected wallets.

“We have contained the incident,” Polymarket said, adding that it removed the affected dependency and is “refunding them in full.” The company stressed that its own core infrastructure and onchain markets were not breached, with the weak link being a third-party supplier whose code was served through Polymarket’s website.

Blockchain security firm Peckshield estimated the losses at roughly $3 million drained from more than 11 victims. Additionally, the attack was a classic supply-chain compromise, in which adversaries target a trusted vendor to reach a larger platform rather than attacking that platform’s systems head-on.

Image source: X Because the malicious code lived in the website’s frontend rather than the underlying smart contracts, the exploit hit the layer most users actually interact with. Visitors who loaded the compromised page were prompted to sign transactions that looked legitimate but instead handed control of their assets to the attackers.

In sum, funds locked in Polymarket’s onchain markets were never directly at risk, but users who approved the spoofed transactions saw their wallets emptied.

What Happens Next

Polymarket said it is contacting victims individually as it processes refunds rapidly, absorbing the cost of a breach that originated outside its own walls (a move likely aimed at preserving trust among its fast-growing user base).

Additionally, the breach comes at a time when prediction markets are booming, with Polymarket and rival Kalshi together driving a record month in April. Polymarket alone has processed more than 100 million trades to date, making it one of the most active venues in crypto.

The scale of this growth has not gone unnoticed by observers, resulting in the platform recently deploying Chainalysis surveillance tools to monitor the market’s integrity. Parallely, U.S. lawmakers have probed into prediction markets over insider-trading safeguards, with one Republican bill seeking to bar members of Congress and their families from wagering on policy outcomes.

The June incident adds operational security to that list of concerns. And, while the refund pledge may limit reputational damage, the reality remains that prediction markets, much like exchanges and DeFi protocols, are now being looked at as lucrative avenues for sophisticated attackers.