Polymarket Loses $3 Million in Frontend Exploit After Third-Party Vendor Compromise

Polymarket, one of the largest decentralized prediction markets, disclosed on June 25 that hackers stole approximately $3 million through a supply-chain attack on its website frontend. The incident occurred that morning when attackers exploited a compromised third-party vendor to inject malicious JavaScript into the platform’s web interface. The script targeted users holding pUSD, Polymarket’s primary dollar-pegged stablecoin backed by USDC and used across all trading activity on the Polygon network. Funds were drained, converted to ETH, and moved to attacker-controlled wallets.

Blockchain analytics firm Bubblemaps identified that fewer than 15 user accounts were affected, with the damage largely contained. Polymarket said it discovered the compromise early, removed the affected dependency, and isolated the malicious script. The company is now directly contacting impacted users to process full reimbursements. Core smart contracts were not affected, preserving the integrity of open markets and overall platform operations. This marks the second notable security event for Polymarket in recent weeks. In May, a private key compromise of an internal operations wallet led to roughly $700,000 in losses, though that incident did not impact user funds or market infrastructure. The latest exploit comes amid a series of challenges for the prediction market platform, including a recent controversy in which a trader claimed to have lost $500,000 following a disputed Bitcoin sale strategy on Polymarket.

The latest breach highlights persistent vulnerabilities in frontend infrastructure. Many DeFi platforms depend on external vendors for website components, creating potential weak points that attackers can exploit without compromising on-chain protocols. Such supply-chain attacks have increased across the industry, often resulting in direct user wallet drains through injected scripts. Beyond security concerns, Polymarket has also faced increasing scrutiny over its compliance framework, with industry observers raising questions about the platform’s KYC practices and exposure to evolving global regulations.

On-chain investigators noted that the stolen pUSD was rapidly swapped for ETH and consolidated. As of the latest monitoring, the funds remain in the identified attacker wallets. Polymarket has not disclosed the identity of the compromised vendor.

The platform’s swift response, including transparent communication and commitment to user refunds, may help limit reputational damage. The company has additionally drawn attention over its marketing practices after reports alleged that some influencers received payments to promote Polymarket on X without clearly disclosing the sponsorship arrangements. Polymarket continues to see significant trading volume on major global events.