Polymarket confirms $3M stolen after third-party vendor hack

▼ Summary
– Hackers stole roughly $3 million from Polymarket users by injecting malicious code into the platform’s frontend via a compromised third-party vendor.
– Polymarket contained the incident, removed the affected dependency, and is refunding affected users in full, but did not disclose the vendor or number of victims.
– The attack was a supply chain compromise, not a breach of Polymarket’s core smart contracts; funds were bridged from Polygon to Ethereum to obscure the trail.
– This follows a separate May incident where $520,000 was drained from two smart contracts due to a compromised internal wallet private key.
– The hack caps a week of scandals, including a Wall Street Journal report that Polymarket paid creators for deceptive promotional videos showing fake bets.
Polymarket has confirmed that roughly $3 million in user funds were stolen after a third-party vendor hack allowed malicious code to be injected into the platform’s frontend. The breach, disclosed Thursday, did not compromise the prediction market’s core smart contracts but instead exploited a supply chain vulnerability that affected users who interacted with the tampered interface.
Blockchain security firm PeckShield tracked the losses at approximately $3 million in cryptocurrency, drawn from more than 11 victims. On-chain data reviewed by analyst Specter showed funds being drained from wallets holding PUSD, Polymarket’s native stablecoin. The stolen assets were quickly bridged from Polygon to Ethereum and converted into roughly 1,893 ETH, a standard laundering tactic used to obscure the trail and liquidate holdings.
In a post on X, Polymarket said it had “contained” the incident and removed the compromised dependency. The company stated it is contacting affected users and refunding them in full, though it did not disclose the number of victims or name the vendor responsible. Polymarket spokesperson Connor Brandi confirmed to TechCrunch that funds were stolen but declined to provide further details.
This is not the first security incident for Polymarket this year. In May, blockchain investigator ZachXBT flagged a separate event where roughly $520,000 was drained from two smart contracts on Polygon. Polymarket attributed those losses to a compromised six-year-old private key tied to an internal operations wallet, not a platform exploit.
The hack caps what has been a turbulent week for the company. On Sunday, a Wall Street Journal investigation revealed that Polymarket had paid online creators to post deceptive videos showing fabricated bets and fake winnings. The Journal reviewed more than 1,100 videos and found that none of the wagers, representing nearly $2 million in displayed value, were placed on the live platform. Polymarket responded by saying it would audit its promotional content.
These scandals come amid escalating regulatory and legal pressure. Last month, a Google engineer was charged with insider trading after using internal search data to profit over $1 million on Polymarket. Spain blocked the platform in May over missing gambling licenses, joining France, Belgium, Poland, Italy, and India in restricting access.
Polymarket has also faced structural governance questions. A $345 million dispute over an Iran peace deal contract earlier this month revealed that just nine anonymous cryptocurrency wallets control more than half the voting power used to resolve contested outcomes on the platform.
Founded by Shayne Coplan, Polymarket became the dominant prediction market during the 2024 US presidential election and has continued to grow rapidly. Combined monthly trading volume across Polymarket and rival Kalshi quadrupled from under $5 billion to $24 billion between September 2025 and April 2026. Whether that growth trajectory survives a convergence of security failures, marketing fraud, and regulatory crackdowns is the question the company now faces.
(Source: The Next Web)