Polymarket confirmed hackers stole approximately $3 million from more than 11 users through a compromised third-party vendor in June. The attack involved malicious frontend code that phished users into approving fraudulent transactions, according to blockchain security firm Peckshield. The company stated it is refunding all affected victims in full, emphasizing that its core infrastructure and onchain markets were not directly breached. The incident highlights growing security challenges facing prediction markets as the sector experiences rapid growth and increased regulatory scrutiny.
Polymarket Traces Attack to Third-Party Vendor Code Injection
Polymarket disclosed that a compromise at one of its outside providers allowed attackers to inject malicious code into its frontend for some users. The tampered script powered a phishing campaign that tricked victims into approving fraudulent transactions, which then drained funds from their connected wallets.
"We have contained the incident," Polymarket stated, adding that it removed the affected dependency. The company emphasized that its own core infrastructure and onchain markets were not breached, with the weak link being a third-party supplier whose code was served through Polymarket's website.
Blockchain security firm Peckshield estimated the losses at roughly $3 million drained from more than 11 victims. The attack was a supply-chain compromise, in which adversaries target a trusted vendor to reach a larger platform rather than attacking that platform's systems directly.
Because the malicious code lived in the website's frontend rather than the underlying smart contracts, the exploit hit the layer most users interact with. Visitors who loaded the compromised page were prompted to sign transactions that appeared legitimate but instead handed control of their assets to the attackers. Funds locked in Polymarket's onchain markets were never directly at risk, but users who approved the spoofed transactions saw their wallets emptied.
![Tweet discussing Polymarket's recent hack.]()
Image source: X
Company Confirms Full Refunds for All Affected Users
Polymarket stated it is contacting victims individually as it processes refunds, absorbing the cost of a breach that originated outside its own infrastructure. The company is refunding affected users "in full."
The platform has processed more than 100 million trades to date, making it one of the most active venues in crypto. Polymarket and rival Kalshi together drove a record month in April.
Prediction Markets Face Heightened Security and Regulatory Scrutiny
Polymarket recently deployed Chainalysis surveillance tools to monitor market integrity. U.S. lawmakers have probed prediction markets over insider-trading safeguards, with one Republican bill seeking to bar members of Congress and their families from wagering on policy outcomes.
Republican Rep. Bryan Steil introduced the Stop Lawmakers from Predicting Act, a bill that would bar House members, their families, and senior staff from trading on prediction market platforms.
FAQ
What happened in the Polymarket security breach in June?
Hackers stole approximately $3 million from more than 11 Polymarket users through malicious code injected via a compromised third-party vendor. The attack used frontend phishing to trick users into approving fraudulent transactions that drained their connected wallets.
How is Polymarket responding to affected users?
Polymarket confirmed it is refunding all affected victims in full and stated it has contained the incident by removing the compromised third-party dependency. The company emphasized that its core infrastructure and onchain markets were not directly breached.
