Polymarket Vendor Breach Opens Door for $3M Crypto Heist

Home

Crypto Heists

By José Oramas June 26, 2026 In Crypto Heists, Polymarket

A compromised third-party vendor let attackers inject malicious code into Polymarket’s front-end, draining about US$3 million (AU$4.35 million) in user funds.
On-chain investigators at Bubblemaps found fewer than 15 accounts were affected, with the attackers converting stolen funds into roughly 1,893 ETH.
Polymarket pledged to refund impacted customers in full and said the front-end issue had been contained, but declined to name the breached vendor.

Polymarket confirmed Thursday that a hack on one of its third-party vendors allowed attackers to inject malicious code into the prediction market’s front-end, draining roughly US$3 million (AU$4.35 million) in user funds before the company contained the breach.

The attack did not target Polymarket’s smart contracts. Instead, the compromised vendor served a malicious script to some users’ browsers, which accessed their wallets and drained pUSD, the platform’s USDC-backed stablecoin used to settle all trades.

This morning we discovered a 3rd party vendor had been compromised, injecting a malicious script into our frontend for some users. We've contained it & removed the affected dependency. We're contacting impacted users & refunding them in full.
— Polymarket Traders (@PolymarketTrade) June 25, 2026

The attackers then bridged the stolen funds from Polygon to Ethereum and swapped them into about 1,893 ETH, consolidating the proceeds in a single wallet in a common move to obscure the trail and liquidate quickly.

Because the malicious code lived in the website rather than the blockchain, affected users had little way to detect that the interface they trusted had been tampered with.

Damage Contained

On-chain investigators at Bubblemaps concluded the damage was largely contained, with fewer than 15 user accounts affected.

Polymarket said it would refund impacted customers in full and confirmed the front-end issue had been contained and the affected dependency removed. The limited account count suggests the malicious script reached only a subset of users before the company caught and pulled it.

The company declined to name the compromised vendor or comment further, leaving open questions about how the supply-chain weakness was introduced and whether other platforms relying on the same provider could be exposed.

The breach was Polymarket’s second in two months. In May, a wallet exploit involving compromised employee credentials led to about US$700,000 (AU$1.02 million) in losses, attributed to a private-key compromise rather than a website flaw.

Together, the two episodes point to operational and third-party risk rather than weaknesses in the underlying protocol.

Front-end and supply-chain attacks bypass audited smart contracts entirely, striking the website layer and outside dependencies that users rarely scrutinise, a vector that has become an increasingly attractive target as on-chain code itself grows harder to crack.