Polymarket confirms hackers stole $3M from users after third-party vendor was compromised

TL;DRHackers drained roughly three million dollars from Polymarket users via a compromised vendor that injected malicious code into its frontend.

Polymarket confirmed on Thursday that hackers stole funds from users after a third-party vendor was compromised, allowing malicious code to be injected into the prediction market’s website. Blockchain monitoring firm PeckShield estimated the losses at roughly three million dollars worth of cryptocurrency, drained from more than 11 victims.

The company said in a post on X that it had “contained” the incident and removed the affected dependency. Polymarket said it is contacting victims and “refunding them in full,” though it did not specify how many users were affected or name the compromised vendor.

Polymarket spokesperson Connor Brandi confirmed to TechCrunch that the breach led to funds being stolen but declined to provide additional details. The company did not respond to specific questions about the incident.

The 💜 of EU techThe latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!On-chain data reviewed by blockchain analyst Specter showed funds being drained from victim wallets holding PUSD, Polymarket’s stablecoin. The stolen assets were rapidly bridged from Polygon to Ethereum and converted into roughly 1,893 ETH, a common tactic used by attackers to obscure the trail and liquidate funds quickly.