Polymarket Picks Up the Tab After Vendor Snafu Siphons $3.1M From PUSD Wallets 💸

Prediction market platform Polymarket said it will fully reimburse users after a compromised third-party vendor injected a malicious script into the platform's frontend, exposing customers to a phishing attack that blockchain intelligence firms estimate drained between $2.94 million and $3.1 million. Polymarket said it discovered the breach on June 25, removed the affected dependency and contained the incident, while continuing to contact impacted users directly. The company has not disclosed the identity of the compromised vendor or published a detailed technical postmortem.

According to blockchain security firm PeckShield, the attackers deployed a phishing campaign that drained roughly $3 million worth of PUSD, Polymarket's dollar-pegged stablecoin backed by USDC, from more than 11 victim wallets. Researchers said the stolen funds were bridged from Polygon to Ethereum and exchanged for approximately 1,893 ETH, which were then consolidated into a single monitored Ethereum address. Blockchain analyst Specter cited estimated losses of $2.94 million, while AMLBot updated the figure on June 27 to approximately $3.1 million. On-chain investigations firm Bubblemaps said the damage was largely contained to fewer than 15 user accounts. Affected addresses listed by Bubblemaps include 0x349606c1b77F3Ba668879CbC9347f15a44cF8fc4, 0xFB84a9d631A3a19204B82c78dFeb90b220255fB5, 0x4aeC70021891EA712AAf3e2dD76c30f6b09A4ce9, 0x987B441a20Dd4AA4bA6d53069E852E7f820adF43 and 0x2d7BE5170a8026c18709EAEa1027c7f12E8Ce2Ce.

"This morning we discovered a third party vendor had been compromised, injecting a malicious script into our frontend for some users," Polymarket said in an X post. "We've contained it and removed the affected dependency. We're contacting impacted users and refunding them in full." The platform emphasized that the incident affected only users who interacted with the compromised frontend during the attack window and that the underlying smart contracts were not impacted. No timeline has been provided for the reimbursement process or the publication of a full incident report.

The attack was the 89th reported crypto security breach of the second quarter, according to DefiLlama data, extending the most-hacked quarter on record by incident count. Total crypto exploit losses reached $74.9 million across 29 reported incidents in June, surpassing May's $60.5 million total but remaining far below April's $644 million. Other notable June incidents included the $36 million Humanity Protocol exploit, the $4.7 million Secret Network bridge exploit, two separate Aztec exploits worth $2.1 million each and a $1.7 million bridge exploit on Taiko. Private key compromises accounted for 43% of reported exploit losses over the past 30 days, followed by fake proof exploits at 10% and reverse MEV honeypots at 8%.

The phishing incident follows a separate security breach disclosed roughly one month earlier, in which attackers exploited a six-year-old private key used for internal top-up operations to steal approximately $600,000 to $700,000. Josh Stevens, Polymarket's vice president of engineering, said at the time that the platform's contracts and user funds remained safe and that all permissions tied to the key had been revoked. Polymarket currently holds over $450 million in total value locked, up 301% from $112 million a year ago, according to DefiLlama.