Hackers steal $3M from Polymarket; users to be refunded

Polymarket reported that attackers exploited a compromised third-party vendor to inject malicious code into the platform’s frontend on June 25, 2026. The exploit redirected or drained funds during normal site interactions and removed the vulnerability after the incident. The company said affected customers will be fully reimbursed.

On-chain investigators traced the activity and found the losses totaled about $3 million. They concluded that fewer than 15 user accounts were impacted and published a set of blockchain addresses tied to the exploit. The stolen assets were collected into a single Ethereum wallet.

The tokens taken were primarily pUSD, a dollar-pegged stablecoin issued by Polymarket and backed by USDC, which the site uses to settle trades. Blockchain traces show the attackers converted the pUSD into ether and moved the proceeds into one consolidated address that currently holds the funds.

Polymarket posted that it is ‘in the process of refunding impacted customers in full’ and that ‘the frontend issue has been contained and removed.’ The company declined to identify the compromised vendor and did not provide additional technical details when contacted.

The June 25 incident follows a security breach in late May in which a wallet used by Polymarket employees to top up and pay rewards was exploited. That earlier breach cost roughly $700,000 and was attributed to a likely private key compromise; it was reported not to have affected the platform’s core infrastructure.

Investigators and the company have not released a detailed plan of measures to prevent similar vendor-based injections. Polymarket said it will continue monitoring blockchain activity tied to the incident while working to reimburse affected users.