Polymarket hit by $2.94M crypto theft via third-party breach
A third-party breach at Polymarket has exposed users to a sophisticated theft, with attackers injecting malicious code into the platform’s frontend and draining approximately $2.94 million in cryptocurrency. The incident, disclosed on June 25, 2026, highlights ongoing vulnerabilities in decentralized finance ecosystems where external dependencies can become gateways for fraud.
A supply-chain attack with immediate impact
The breach originated from a compromised third-party vendor whose software was integrated into Polymarket’s user interface. Attackers exploited this access to inject malicious JavaScript, targeting users’ wallets holding PUSD—a stablecoin used on the platform. According to blockchain security researchers, over 11 wallets were drained in a coordinated phishing campaign, with stolen funds quickly bridged from Polygon to Ethereum and converted into 1,893 ETH. Security firms including Specter, PeckShieldAlert, and GoPlus Security all flagged the incident within hours of detection.
Response and accountability
Polymarket acknowledged the breach shortly after discovery, stating it had contained the malicious script and removed the affected dependency. The company confirmed it is reaching out to impacted users and committed to full reimbursement for all losses. While the technical specifics of the attack remain undisclosed, the swift acknowledgment and restitution signal a recognition of user trust as critical to platform viability. The incident also underscores the broader risks in DeFi, where composability and third-party integrations can amplify exposure to supply-chain threats.
In a separate but related development, Polymarket recently faced scrutiny over promotional practices involving paid content that misrepresented betting outcomes. While not directly linked to the security incident, the episode points to broader governance and transparency concerns within the platform. As investigations continue, the episode serves as a reminder that in decentralized markets, security is only as strong as the weakest third-party link.
Source: Security Affairs. AI-assisted editorial synthesis — TechnoExpress.