A third-party security breach at Polymarket has led to the theft of nearly $3 million in cryptocurrency from user wallets, adding to a difficult week for the prediction market platform.
Quick Summary – TLDR:
- Hackers stole about $3 million in cryptocurrency from Polymarket users.
- The attack was linked to a compromised third-party vendor that injected malicious code into the company’s website.
- More than 11 users may have been affected, according to blockchain researchers.
- Polymarket says it has contained the incident and will fully refund impacted users.
What Happened?
Polymarket confirmed on Thursday that hackers managed to steal funds from some of its users after a third-party vendor was compromised. The breach allowed attackers to inject a malicious script into parts of the platform’s frontend, exposing users who interacted with the affected website interface.
The company said it has removed the affected dependency, contained the incident, and is reaching out to victims to provide full refunds. However, Polymarket has not disclosed how many users were impacted or identified the vendor involved in the breach.
This morning we discovered a 3rd party vendor had been compromised, injecting a malicious script into our frontend for some users. We’ve contained it & removed the affected dependency. We’re contacting impacted users & refunding them in full.
— Polymarket Traders (@PolymarketTrade) June 25, 2026
How the Attack Worked?
According to blockchain security firm PeckShield, the attack resulted in the theft of approximately $3 million worth of cryptocurrency. The firm also warned users about what appeared to be a phishing campaign targeting Polymarket customers.
On chain data reviewed by blockchain analyst Specter showed that funds were drained from wallets holding PUSD, Polymarket’s stablecoin. The stolen assets were then moved from the Polygon network to Ethereum and converted into roughly 1,893 ETH.
Security researchers described the incident as a supply chain attack rather than a direct breach of Polymarket’s infrastructure. In such attacks, hackers compromise a third-party service or software dependency and use it to deliver malicious code to users.
Importantly, there is no indication that Polymarket’s core smart contracts were exploited.
Users Report Missing Funds
Even before Polymarket publicly acknowledged the incident, several users had taken to social media claiming that funds had disappeared from their accounts. Blockchain researchers estimate that more than 11 victims may have been affected by the attack.
Polymarket spokesperson Connor Brandi confirmed that the breach resulted in stolen funds but declined to provide additional details about the incident.
The company said in a post on X that affected users will be “refunded in full.”
Another Blow for Polymarket
The hack comes during what has become one of the company’s most difficult periods.
Earlier this week, an investigation by The Wall Street Journal alleged that Polymarket paid online creators to publish deceptive videos showing large betting wins that never actually happened on the platform. The report reviewed more than 1,100 videos and found that the bets shown in the clips were fabricated.
Polymarket responded by saying it would conduct an audit of its promotional content.
The company has also faced increasing regulatory pressure in several countries, including India, Spain, France, Belgium, Poland, and Italy, where authorities have imposed restrictions on the platform.
In May, blockchain investigator ZachXBT highlighted another incident involving roughly $520,000 drained from two smart contracts on the Polygon network. Polymarket later said that event was linked to a compromised private key and not a direct exploit of the platform.
Growing Challenges Despite Rapid Expansion
Founded by Shayne Coplan, Polymarket became one of the most prominent prediction markets during the 2024 United States presidential election and has seen rapid growth since then. Combined monthly trading volume across Polymarket and rival platform Kalshi reportedly jumped from less than $5 billion to $24 billion between September 2025 and April 2026.
The latest hack, however, raises fresh questions about platform security and whether Polymarket can maintain user trust while dealing with security incidents, regulatory scrutiny, and growing public criticism.
SQ Magazine Takeaway
I think this incident shows a growing problem in the crypto industry. Even when a platform’s core systems remain untouched, a weak link in the supply chain can still put millions of dollars at risk. Polymarket’s decision to refund users is the right move, but rebuilding trust may take much longer than reimbursing stolen funds.
