Security researchers classified the incident as a supply chain attack rather than a flaw in Polymarket’s core contracts.

Polymarket confirmed Friday that a compromised third-party vendor allowed attackers to inject malicious code into its frontend, draining about $3 million from fewer than 15 user accounts.

The platform says it will fully refund all affected users.

What Happened

The attack was first flagged by on-chain security researcher Specter, who posted that an apparent phishing campaign had drained funds from more than 11 victim wallets holding Polymarket’s PUSD stablecoin.

At the time, they estimated losses at $2.94 million, with PeckShield confirming the figure shortly after and noting that the attacker had bridged the stolen funds from Polygon to Ethereum and converted them into 1,893 ETH.

The prediction market acknowledged the breach through one of its official accounts, Polymarket Traders.

“This morning we discovered a 3rd party vendor had been compromised, injecting a malicious script into our frontend for some users. We’ve contained it and removed the affected dependency,” it wrote on X. “We’re contacting impacted users and refunding them in full.”

William LeGate, who works closely with the platform, echoed news about the compensation, repeating that the issue had been resolved and that affected users would get back their money in full.

Another blockchain security account, GoPlus Security, described the incident as a supply chain attack. It said that the malicious code affected about 15 accounts, with losses totaling $3 million, a conclusion that was also reached by Bubblemaps, which praised Polymarket’s response after the losses were contained.

You may also like:

A Recurring Problem

This is not the first time Polymarket has been hit. Last month, the platform disclosed another breach in which an admin wallet used for employee reward top-ups was drained of about $700,000, likely through a private key compromise. At first, crypto sleuth ZachXBT had estimated the losses to be around $520,000, with Bubblemaps later quoting the higher figure after tracking the funds across several addresses.

Developer Josh Stevens confirmed at the time that a 6-year-old private key had been exposed through an internal configuration and that the company had since rotated credentials and moved to key management services. However, that incident did not touch user funds or core contracts.

While the two incidents involved different attack methods, they both targeted systems outside Polymarket’s prediction markets themselves. Furthermore, the latest one has come at a time when the platform is already navigating other reputational headwinds, including a recent report by the Wall Street Journal, which claimed that it had paid college-age creators between $2,000 and $3,000 per month to post videos of staged bets on dummy versions of the Polymarket website, with not even one of the over 1,100 clips traceable to real blockchain activity.

There was also another controversy early this month when a trader claimed that they had lost $500,000 after the prediction service allegedly changed resolution rules for a market tied to Strategy’s Bitcoin sale.