Several Polymarket users reported unexpected losses just before Christmas, prompting the platform to confirm a security issue tied to a third-party login service.
Quick Summary – TLDR:
- Multiple Polymarket users had their accounts drained, reportedly due to a vulnerability in a third-party authentication provider.
- The issue mainly impacted users who signed in using Magic Labs’ email-based login, not those using direct wallet connections.
- Polymarket says the flaw has been fixed and no ongoing risks remain, though exact user impact is undisclosed.
- This incident adds to a growing list of security issues involving Web3 platforms and third-party services.
What Happened?
Between December 22 and 24, users on Reddit, X, and Discord began reporting that their Polymarket accounts were showing suspicious login attempts followed by balance wipes. Many confirmed that their devices were secure, two-factor authentication was enabled, and no phishing links had been clicked. Despite these precautions, their account funds were gone.
Polymarket quickly responded through its official Discord, acknowledging a security vulnerability linked to a third-party authentication provider. While the platform stopped short of naming the provider, all signs pointed to Magic Labs, which powers email-based logins and non-custodial Ethereum wallets for first-time crypto users.
ICYMI: @Polymarket has stated that the recent securtiy breach that led to several account hacks was the result of a third-party authentication provider, Magic Labs. pic.twitter.com/VDPoAWQdHj
— crypto.news (@cryptodotnews) December 24, 2025
Accounts Drained Despite Precautions
Affected users shared a common pattern. Most had used Magic Labs’ login system, sometimes referred to as a “magic link,” allowing them to access Polymarket using just an email.
Caution if you’re using magic links for your @Polymarket account. There appears to be a coordinated attempt to drain accounts accessed via magic link, possibly by exploiting an underlying vulnerability.
— shawtyisaten (@shawtyis_a_10) December 23, 2025
- One Reddit user noted, “Today I woke up and see 3 attempts to login to Polymarket… all my deals were closed and balance is $0.01.”
- Another user said they also saw three login attempts before their account was drained, despite not clicking any suspicious links and having 2FA enabled.
Reports consistently mentioned that direct wallet users were not affected, and the core Polymarket smart contracts remained secure.
No Ongoing Risk, Says Polymarket
Polymarket has stated that the vulnerability has been patched, and there is no continuing threat to user accounts. The platform has begun contacting those affected but has not shared how many users were impacted or how much was lost. A spokesperson confirmed:
This incident mirrors previous ones the platform has faced:
- In September 2024, attackers drained wallets using proxy function calls on accounts linked via Google logins.
- In November 2025, a phishing campaign in comment sections resulted in over $500,000 in losses, although that attack relied on deceptive links, not technical flaws.
Bigger Risk in Web3 Login Systems
While Polymarket’s main protocol was untouched, this breach highlights an ongoing challenge in crypto: balancing ease of use with security. Services like Magic Labs are attractive for newcomers because they eliminate the need for traditional crypto wallets or managing private keys. However, these conveniences can become liabilities.
This event reaffirms the “weakest link” problem in Web3: a secure protocol can still be undermined by third-party integrations.
Regulatory and Market Context
The timing of the incident is notable. In recent months, Polymarket has seen significant growth, recording over $3 billion in trading volume and 338,000 unique traders by October. It also received an Amended Order of Designation from the U.S. Commodity Futures Trading Commission (CFTC), allowing it to operate under a federal regulatory framework.
With this new spotlight, security concerns are even more critical. Although the breach was relatively contained, it may prompt the platform to rethink its approach to user onboarding and third-party dependencies.
SQ Magazine Takeaway
This is one of those “hard lesson” moments for both platforms and users in Web3. I get the appeal of quick email-based logins, especially for newcomers who want to skip the wallet setup. But stories like this show how fragile that convenience can be. Even if the core tech is rock-solid, one crack in the login system can shatter user trust. If you’re jumping into crypto, now’s a good time to reconsider how you secure your assets. For Polymarket, it’s not just about fixing the issue but proving they’ve learned from it.
