Polymarket Lost $3M After Third-Party Vendor Was Hacked

iEXExchanger
Polymarket Lost $3M After Third-Party Vendor Was Hacked

Hackers compromised a third-party vendor to inject malicious code into Polymarket's frontend, draining roughly $3M in PUSD from user wallets. The platform's second security breach in a month.

On the morning of June 25, Polymarket disclosed a breach — one with an unusual twist. The attacker bypassed smart contracts and blockchain entirely. Instead, they compromised a third-party vendor whose code was embedded in Polymarket's website, using that foothold to inject a malicious script directly into the frontend.

The script activated silently whenever users accessed their accounts. Its target was PUSD — Polymarket's internal collateral token backed by USDC. Fewer than fifteen wallets were drained, losing roughly $3 million in total. The attacker immediately converted the stolen PUSD into ETH and funneled everything into a single address, leaving a trail visible only through blockchain explorers.

Polymarket removed the compromised dependency within hours and posted on X: "We've contained it and removed the affected dependency. We're contacting impacted users and refunding them in full." Growth Lead William LeGate confirmed the refund process was underway. Which vendor was responsible was not disclosed.

The timing matters. Just one month ago, Polymarket suffered another breach when hackers drained an internal employee wallet used for account top-ups and platform rewards — roughly $700,000. User funds were safe that time. This attack went further, hitting user accounts directly.

What happened here is a software supply chain attack adapted for Web3. All the decentralization in the world doesn't change the fact that nearly every crypto product runs on conventional web infrastructure: third-party libraries, CDN providers, analytics tags, vendor SDKs. Compromise any one of those, and you get a backdoor to user funds regardless of how airtight the smart contracts are. The blockchain wasn't touched. The website was.

Two significant breaches in thirty days put Polymarket in uncomfortable territory, especially as it competes directly with Kalshi, which has gained regulatory momentum in the US. Whether these incidents shift user confidence — and with it, trading volume — is the practical question the platform now has to answer.

Questions and answers

Frequently asked questions about this article

How did the hackers get into Polymarket?

Attackers compromised a third-party vendor whose code was embedded in Polymarket's website, then injected a malicious script through that vendor. The attack did not involve smart contracts or the blockchain itself.

What is PUSD and why was it targeted?

PUSD is Polymarket's internal collateral token backed by USDC, used as the primary trading currency on the platform. It was held in the user wallets that the malicious script was designed to drain.

Will affected users get their money back?

Yes. Polymarket publicly committed to fully refunding all affected users and said it is contacting each of them directly.

Is this Polymarket's first major hack?

No. About a month earlier, hackers drained an internal Polymarket employee wallet for approximately $700,000. User funds were not affected in that incident. The June attack was the second in 30 days.

What is a software supply chain attack?

A supply chain attack targets a vendor or dependency rather than the end product directly. The malicious code reaches users through a trusted channel — a library, plugin, or external service — making it harder to detect than a direct intrusion.

Read also