<\/p>\n
Polymarket confirmed Thursday that a hack on one of its third-party vendors allowed attackers to inject malicious code into the prediction market\u2019s front-end, draining roughly US$3 million (AU$4.35 million) in user funds before the company contained the breach.<\/p>\n
The attack did not target Polymarket\u2019s smart contracts. Instead, the compromised vendor served a malicious script to some users\u2019 browsers, which accessed their wallets and drained pUSD, the platform\u2019s USDC-backed stablecoin used to settle all trades.\u00a0<\/p>\n This morning we discovered a 3rd party vendor had been compromised, injecting a malicious script into our frontend for some users. We’ve contained it & removed the affected dependency. We’re contacting impacted users & refunding them in full.<\/p>\n \u2014 Polymarket Traders (@PolymarketTrade) June 25, 2026<\/p><\/blockquote>\n<\/div>\n<\/figure>\n The attackers then bridged the stolen funds from Polygon to Ethereum and swapped them into about 1,893 ETH, consolidating the proceeds in a single wallet in a common move to obscure the trail and liquidate quickly.\u00a0<\/p>\n Because the malicious code lived in the website rather than the blockchain, affected users had little way to detect that the interface they trusted had been tampered with.<\/p>\n Related: Senate Democrats Demand Probe Into Trump Family Crypto Venture\u2019s UAE Links<\/strong><\/p>\n On-chain investigators at Bubblemaps concluded the damage was largely contained, with fewer than 15 user accounts affected.\u00a0<\/p>\n Polymarket said it would refund impacted customers in full and confirmed the front-end issue had been contained and the affected dependency removed. The limited account count suggests the malicious script reached only a subset of users before the company caught and pulled it.<\/p>\n The company declined to name the compromised vendor or comment further, leaving open questions about how the supply-chain weakness was introduced and whether other platforms relying on the same provider could be exposed.<\/p>\n The breach was Polymarket\u2019s second in two months. In May, a wallet exploit involving compromised employee credentials led to about US$700,000 (AU$1.02 million) in losses, attributed to a private-key compromise rather than a website flaw.<\/p>\n Together, the two episodes point to operational and third-party risk rather than weaknesses in the underlying protocol.\u00a0<\/p>\n Front-end and supply-chain attacks bypass audited smart contracts entirely, striking the website layer and outside dependencies that users rarely scrutinise, a vector that has become an increasingly attractive target as on-chain code itself grows harder to crack.\u00a0<\/p>\n Read more: Australian Crypto Unicorn Immutable Scales Back Game Development in AI Pivot\u00a0\u00a0<\/strong><\/p>\n<\/p><\/div>\n Crypto Heists,Polymarket#Polymarket #Vendor #Breach #Opens #Door #Crypto #Heist1782462463<\/p>\n","protected":false},"excerpt":{"rendered":" A compromised third-party vendor let attackers inject malicious code into Polymarket\u2019s front-end, draining about US$3 million (AU$4.35 million) in user funds. On-chain investigators at Bubblemaps found fewer than 15 accounts were affected, with the attackers converting stolen funds into roughly 1,893 ETH. Polymarket pledged to refund impacted customers in full and said the front-end issue<\/p>\n","protected":false},"author":1,"featured_media":10231,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[423,62,835,3373,815,792,5163],"class_list":["post-10230","post","type-post","status-publish","format-standard","has-post-thumbnail","category-bitcoin","tag-breach","tag-crypto","tag-door","tag-heist","tag-opens","tag-polymarket","tag-vendor"],"yoast_head":"\n\n
Damage Contained<\/h2>\n