Polymarket Discloses $3.1M User-Fund Theft After Vendor Compromise

A high-profile prediction-market disclosure of user-fund theft: a compromised third-party vendor injected a malicious script into Polymarket's frontend, draining roughly $3.1 million from eleven user wallets, with the platform pledging full refunds.

Share
Flat white line-art of a balance-scale prediction panel beside a wallet form, on a Moss background — Polymarket user-fund theft after account compromise.

Key Takeaways

  • Polymarket disclosed on June 25, 2026 that a compromised third-party vendor injected a malicious script into the prediction-market platform's frontend for some users, draining funds directly from connected user wallets in what amounts to a software supply-chain attack on the website layer rather than the blockchain layer.
  • Losses were initially put at about $2.94 million and later revised upward to roughly $3.1 million in pUSD drained from eleven user wallets, with the stolen balances swapped out of the platform's dollar-pegged token and bridged into approximately 1,893 ETH held in attacker-controlled addresses.
  • Polymarket said it contained the incident and removed the affected dependency, and the company publicly committed to contacting impacted users and refunding them in full, making the affected holders whole in pUSD value.

A high-profile prediction-market disclosure of user-fund theft: a compromised third-party vendor injected a malicious script into Polymarket's frontend, draining roughly $3.1 million from eleven user wallets, with the platform pledging full refunds.

NEW YORK, NEW YORK — Polymarket on June 25, 2026 disclosed that funds had been stolen from a small number of its users after a third-party vendor was compromised, an incident the prediction-market platform attributed to a malicious script injected into its website rather than any failure of the underlying blockchain. In a public statement, the company said it had discovered that morning that a third-party vendor supplying frontend code had been compromised, injecting a malicious script into Polymarket's frontend for some users. The platform said it contained the incident, removed the affected dependency, and would contact and refund the impacted users in full. Loss estimates, initially placed at about $2.94 million, were subsequently revised upward to roughly $3.1 million.

The episode reads as a software supply-chain and frontend-integrity problem rather than a conventional account takeover, but the effect on users was the same: balances drained from their wallets. Because the malicious code rode in through a trusted third-party dependency loaded by the website, it reached users who had no reason to suspect anything was wrong, an echo of the third-party data breach exposures that have repeatedly turned a vendor's weakness into a direct loss for the people downstream of it.

At a Glance
FieldDetails
PlatformPolymarket (prediction market)
WhatUser funds stolen via malicious script injected into the platform's frontend
Funds stolenAbout $3.1 million in pUSD (initially reported ~$2.94M)
Users affectedEleven user wallets (reported fewer than 15 users)
PathCompromised third-party vendor injected a malicious frontend script
ReimbursementPolymarket pledged full refunds to affected users
StatusDisclosed June 25, 2026; incident contained, dependency removed

What Polymarket Disclosed

In a public statement issued on June 25, 2026, Polymarket said it had discovered that morning that a third-party vendor had been compromised, injecting a malicious script into the platform's frontend for some users. The company said it had contained the incident and removed the affected dependency, and that it was contacting impacted users and refunding them in full. The disclosure was made through the company's official channels and quickly corroborated by independent reporting.

The mechanism, as described in the company's account and in subsequent reporting, is a supply-chain compromise at the website layer rather than a failure of the blockchain or smart contracts that underpin Polymarket's markets. A vendor that supplied frontend code was compromised, and a malicious script was loaded onto Polymarket's website for a subset of users. That script, according to reporting on the incident, prompted affected users to sign wallet transactions that authorized the movement of their funds. The blockchain itself behaved as designed; the deception happened in the interface presented to users.

The financial scale of the theft was revised as the picture clarified. Early figures put the loss at approximately $2.94 million, drawn from a small set of accounts. Within days the estimate was revised upward to roughly $3.1 million in pUSD, the platform's dollar-pegged token, drained from eleven user wallets. According to reporting, the stolen balances were swapped out of pUSD and bridged into approximately 1,893 ETH, which then sat in addresses controlled by the attackers.

Affected-User Notification Awareness

Polymarket said it was contacting the users whose funds were affected, and reporting on the incident has consistently described the impacted population as small — eleven wallets, with several accounts of the incident noting that fewer than fifteen users in total were affected. That is a narrow blast radius relative to the platform's overall user base, but for the individuals involved the losses were direct withdrawals from their own balances.

For users of the platform more broadly, the practical awareness point is that the compromise reached them through the website they trusted, not through a phishing email they could have flagged or a password they could have rotated. When a malicious script is injected into a legitimate frontend through a compromised dependency, the usual user-side defenses — checking the domain, avoiding suspicious links — offer limited protection, because the malicious behavior is being served from the real site. That is precisely what makes frontend supply-chain compromises difficult for end users to detect on their own.

Affected users in this case have a clearer path than is typical, because the company committed publicly to full reimbursement. Users who interacted with the platform during the window in which the malicious script was being served, and who approved wallet transactions they did not initiate or recognize, are the population most likely to have been touched; the company's stated approach is to reach those users directly and make them whole rather than relying solely on users to self-identify.

Company's Published Remediation Steps

The remediation steps Polymarket described in its disclosure were specific and immediate. The company said it had contained the incident and removed the affected dependency — the compromised third-party component through which the malicious script was being loaded. Removing that dependency cuts off the delivery path for the injected code, which is the direct fix for a frontend supply-chain compromise of this kind.

The second published commitment was financial: Polymarket said it would contact impacted users and refund them in full. Reporting on the incident has framed the operative promise as full reimbursement of the affected pUSD value, with the company stating it would make affected holders whole. That commitment is notable in a sector where users who lose funds to interface-level deception frequently bear the loss themselves, and it places the cost of the vendor's compromise on the platform rather than on the eleven affected wallets.

What the company's published account does not detail — at least in the disclosure as reported — is the identity of the compromised vendor, the precise window during which the malicious script was live, or the technical specifics of how the vendor itself was breached. Those are the kinds of details that typically emerge later, if at all, and their absence at the disclosure stage is common for an incident reported within hours of discovery.

Industry-Context Discussion for Prediction-Market and Crypto Platforms

The Polymarket incident sits in a recognizable category of risk for crypto and prediction-market platforms: the frontend, not the chain, is often the softest target. The smart contracts and on-chain settlement that platforms emphasize as trustless and auditable can be functioning exactly as intended while users are nonetheless deceived into authorizing transactions through a compromised interface. When the malicious code arrives through a trusted third-party dependency, the platform's own infrastructure becomes the delivery vehicle.

This is the same structural problem that has driven a run of third-party and supply-chain incidents across sectors, where an organization's security ultimately depends on the weakest vendor in its delivery chain. The pattern is familiar from breaches such as the Carnival Corporation disclosure, where a compromise reached a large organization through a connected third party. For platforms that handle user funds, the stakes are sharpened because the consequence of a frontend compromise is not just data exposure but direct, irreversible movement of money.

For prediction-market and crypto platforms specifically, the takeaway that industry observers tend to draw from incidents like this is that frontend integrity deserves the same scrutiny as smart-contract security. That includes monitoring and constraining the third-party scripts and dependencies that a website loads, validating the integrity of code served to users, and building the assumption of a potential frontend compromise into incident-response planning. The financial-fraud dimension also matters: account- and wallet-level fraud has become a recurring theme in cybersecurity reporting, from platform compromises to the kind of account-fraud schemes seen in cases like the misuse of an Amazon business account by a municipal clerk in Tennessee, underscoring how directly digital compromises now translate into stolen money.

Open Questions

Several questions remain open as the incident continues to be reported. The identity of the compromised third-party vendor and the means by which it was breached have not been detailed in the disclosure as reported, leaving the precise origin of the malicious script unresolved. The exact window during which the script was being served to users, and therefore the full set of users who may have been exposed, is also not fully specified beyond the eleven wallets identified as drained. As with the broader pattern of account-fraud and theft cases, the recovery of the stolen funds — bridged into roughly 1,893 ETH and held in attacker-controlled addresses — is uncertain, which is part of why the company's refund commitment matters to affected users.

It is also worth noting the limits of the public record at this stage. The core facts — that a third-party vendor was compromised, that a malicious script was injected into Polymarket's frontend, that roughly $3.1 million was drained from eleven wallets, and that the company pledged full refunds — rest substantially on Polymarket's own statement and the reporting that followed it. The loss figure itself moved upward from the initial estimate, a reminder that early numbers in fast-moving incidents are provisional. What is confirmed is enough to mark the episode as a serious user-fund theft and a clear illustration of frontend supply-chain risk, with the durable lesson being that a platform's security is only as strong as the third-party code it loads.


Sources

TypeSource
PrimaryPolymarket — official statement (@PolymarketTrade on X)
ReportingTechCrunch — Polymarket says hackers stole users' funds
RelatedThe CyberSignal — Vimeo Data Breach (Anodot, ShinyHunters)
RelatedThe CyberSignal — Carnival Confirms ShinyHunters Extortion
RelatedThe CyberSignal — Town of Alexandria, Tennessee Amazon Account Fraud