Polymarket hit by $3M cyberattack via third-party dependency, promises full refunds
Polymarket has been targeted by hackers exploiting a third-party dependency. Some users report being hacked, and blockchain analysts flagged $3 million outflows from the company. Polymarket has reassured all impacted users that they will be refunded in full.
-
Polymarket suffered a $3 million loss after a third-party vendor compromise.
-
Attackers reportedly used the malicious frontend script to trick users into signing unauthorized transactions.
-
Polymarket has contained the breach and confirmed that all affected users will be fully refunded.
Betting site Polymarket confirmed on June 25th that cyberattackers stole funds after compromising one of the company's third-party vendors. The incident affects an unspecified number of users.
“This morning, we discovered a 3rd party vendor had been compromised, injecting a malicious script into our frontend for some users. We've contained it and removed the affected dependency. We're contacting impacted users and refunding them in full,” the company posted on X.
Blockchain analysts flagged some outflows of roughly $3 million that appear to have landed in the attacker’s wallets.
An on-chain investigator who goes by the alias Specter on X noted that hackers drained funds from over 11 victim wallets that were holding pUSD, the collateral token Polymarket uses for all betting on the dollar-denominated platform. It’s a standard ERC-20 token on Polygon, backed by the stablecoin USDC.
Specter noted that attackers swapped the stolen assets for ETH and consolidated the proceeds to a single new address. It currently holds roughly 1,788.5 ETH, or $2.8 million worth of cryptocurrency, and 104.4 ETH ($165,130) has already been withdrawn. The attackers used other addresses in the attack as well.
William LeGate, growth lead at Polymarket, responded to the Specter’s post, saying, “There are no user losses,” and that Polymarket is refunding all users.
Some users on X reported allegedly unauthorized withdrawal transactions.
Polymarket hasn’t disclosed which third-party vendor or what dependencies were compromised. Cybernews reached out to the company for more details and will update this story with its response.
It appears the supply-chain attack targeted the Polymarket website’s interface rather than the core systems powering Polymarket contracts, likely tricking some users into confirming malicious transactions.
According to blocknomi.com, hackers injected malicious JS code into the frontend, and when the affected users connected to their wallets, the script prompted them to sign or approve transactions.
Unlock more exclusive Cybernews content on YouTube.
