Polymarket Confirms $3 Million Loss From Third-Party Front-End Supply-Chain Breach - "The Defiant"

Polymarket confirmed Friday that hackers drained approximately $3 million from users through a compromised third-party vendor that injected malicious code into the platform's website, according to PeckShield. The prediction-market platform said it had contained the breach and would refund affected users in full.

"This morning we discovered a 3rd party vendor had been compromised, injecting a malicious script into our frontend for some users," Polymarket's official X account posted Friday. "We've contained it & removed the affected dependency. We're contacting impacted users and refunding them in full."

Blockchain security firm PeckShield estimated that roughly $3 million in pUSD, Polymarket's USDC-backed trading stablecoin on Polygon, was stolen. A blockchain analyst cited by SecurityWeek confirmed losses from at least 11 victim accounts. The attacker bridged the stolen funds from Polygon to Ethereum and swapped them into approximately 1,893 ETH. On-chain analytics firm Bubblemaps concluded that fewer than 15 accounts were affected overall.

The attack did not touch Polymarket's core smart contracts or backend servers. Instead, the attacker compromised an unnamed third-party software dependency that Polymarket's web frontend loads. When users connected their wallets on the affected site, a hidden script triggered transaction-approval prompts, routing funds to attacker-controlled wallets. Polymarket has not publicly identified which vendor was breached.