Polymarket Users Lose Millions as Third-Party Breach Injects Malicious Script

Polymarket, the prediction market platform, disclosed on June 25 that a third-party vendor was compromised, enabling hackers to inject a malicious script into the site's frontend. The attack drained an estimated $3 million in cryptocurrency from at least 11 users, according to blockchain monitoring firm PeckShield.

PeckShield's estimate puts losses at roughly $2.94 million worth of PUSD, Polymarket's stablecoin, which attackers swapped for Ethereum to launder the funds. The company's head of experience, William LeGate, acknowledged the figure in a response on X, confirming the scale of the incident without disputing the amount.

Containment and refunds initiated

Polymarket said it identified the breach the same morning and removed the malicious dependency. In a post on X, the company stated: "We've contained it & removed the affected dependency." LeGate added: "We are refunding affected users in whole, there are no user 'losses'." The company is contacting impacted users directly to process refunds.

• Attack vector: a compromised third-party vendor injected a malicious script into Polymarket's frontend.
• Victims: at least 11 user wallets holding PUSD were drained.
• Laundering method: stolen PUSD was swapped for Ethereum and consolidated into a single address tracked by blockchain monitors.
• Platform response: Polymarket refunded users in full and removed the compromised dependency.

Broader scrutiny amid growth

The hack comes at a sensitive time for Polymarket, which has been under fire for deceptive marketing. A Wall Street Journal investigation found that the company paid creators to produce fake videos showing large winnings, using near-perfect copies of its website to simulate trades. Polymarket has also faced regulatory attention: the Commodity Futures Trading Commission fined the platform $14 million in 2022 for operating an unregistered exchange.

Despite these issues, Polymarket saw a surge in activity during the 2024 U.S. election cycle, with trading volumes exceeding $10 billion. The company recently launched a podcast and an ad featuring music producer Rick Rubin that drew praise from CNBC’s Andrew Ross Sorkin.

Polymarket has not disclosed the identity of the compromised vendor or whether law enforcement has been notified. The company said it is continuing to monitor for further threats and urged users to review their account activity. No additional attacks have been reported since the fix was deployed.