Third-Party Vendor Slip Lets Phishers Pocket $3M From Polymarket Users 🐟

Prediction market platform Polymarket said on June 25 it will fully reimburse users after a compromised third-party vendor injected malicious code into parts of the platform's frontend, exposing visitors to a phishing attack that blockchain security researchers estimate drained roughly $3 million. Polymarket said it discovered the compromise earlier in the day, removed the affected dependency and contained the incident, and is contacting impacted users directly. The platform has not disclosed the identity of the compromised vendor or released a detailed technical postmortem.

The attack appeared to affect only users who interacted with the compromised frontend during the attack window, rather than the platform's underlying smart contracts. Blockchain analytics firm PeckShield reported that the incident functioned as a phishing campaign targeting Polymarket users, with attackers draining approximately $3 million worth of PUSD from more than 11 victim wallets before bridging the stolen funds from Polygon to Ethereum. Independent researcher Specter estimated losses at $2.94 million from at least 11 wallets. PeckShield said the attacker subsequently exchanged the proceeds for roughly 1,893 ETH and consolidated the assets into a single monitored Ethereum address. On-chain investigations firm Bubblemaps said potential damage was largely contained, with fewer than 15 user accounts affected and published several wallet addresses linked to the incident. Polymarket has not publicly confirmed the estimated losses or the number of affected wallets.

The incident was the 89th reported crypto security breach of the second quarter, according to DefiLlama data, extending the most-hacked quarter on record by incident count. Crypto exploit losses climbed to $74.9 million across 29 reported incidents in June, surpassing May's $60.5 million total but remaining far below April's $644 million. Other June incidents included the $36 million Humanity Protocol exploit, the $4.7 million Secret Network bridge exploit, two separate Aztec exploits worth $2.1 million each and a $1.7 million bridge exploit on Taiko. Over the past 30 days, private key compromises accounted for 43% of reported exploit losses, followed by fake proof exploits at 10% and reverse MEV honeypots at 8%.

The Polymarket attack comes roughly one month after the platform disclosed a separate $600,000 exploit, which Decrypt reported at $700,000, traced to a six-year-old private key used for internal top-up operations. Josh Stevens, Polymarket's vice president of engineering, said at the time that the platform's contracts and user funds remained safe and that all permissions tied to the key had since been revoked. The latest compromise highlights the risk posed by external vendors with direct involvement in site operation, even when core protocols remain secure.

Polymarket currently holds over $450 million in total value locked, up 301% from $112 million a year ago, according to DefiLlama. The company has not provided a timeline for the reimbursement process or for the publication of a full incident report.