Polymarket confirms supply chain exploit resulting in $3 million customer funds theft
- Marijan Hassan - Tech Journalist
- 3 hours ago
- 2 min read
Blockchain-based prediction market giant Polymarket has confirmed it fell victim to a targeted supply chain cyberattack that allowed malicious actors to inject a fraudulent script into its website’s frontend, draining roughly $3 million from user accounts.

The security breach was detected by internal teams and quickly corroborated by prominent blockchain analytics firms, including PeckShield and Bubblemaps. While the attack targeted a highly specific subset of the platform's active trading base, Polymarket leadership moved swiftly to reassure its users, officially containing the malicious dependency and pledging to fully reimburse all financial losses.
Anatomy of the infiltration
The security compromise did not originate from an exploit within Polymarket’s core smart contracts or backend infrastructure. Instead, attackers compromised an undisclosed third-party software vendor or library dependency utilized by Polymarket's web interface.
By altering this external code, the threat actors successfully executed a localized frontend injection attack. When targeted users interacted with the website, the hidden script initiated a sophisticated phishing routine, hijacking active browser sessions to request unauthorized token approvals. According to on-chain investigators at SpecterAnalyst, the campaign specifically focused on draining pUSD—Polymarket’s native, USDC-backed stablecoin used to place wagers on everything from political outcomes to pop culture events.
Tracking the stolen capital and containing damage
Blockchain telemetry shows that the attack was highly focused rather than a sweeping, platform-wide drainer. Security firms confirmed that the damage was restricted to fewer than 15 high-value victim wallets.
Once the malicious script secured the necessary pUSD token permissions, the attacker systematically transferred the stablecoins out of the victims' accounts on the Polygon network. The stolen assets were immediately routed through a cross-chain bridge over to the Ethereum mainnet. From there, the perpetrator converted the entire haul into approximately 1,893 ETH to obscure the paper trail before consolidating the proceeds into a single, heavily monitored digital wallet.
Remediating the moat and rebuilding reputational trust
Polymarket's response to the incident was immediate. The platform's engineering division completely isolated and removed the affected third-party dependency within hours of discovery, restoring the web frontend to a secure state.
William LeGate, Polymarket's Head of Growth, verified that the issue was fully resolved and reconfirmed that the company is actively contacting the impacted users to process complete financial restitution.
The hack lands at a complicated moment for the prediction market leader, arriving on the heels of a separate regulatory and media controversy regarding its promotional practices. The platform is currently auditing its marketing operations following an investigation revealing that it had paid online influencers to publish videos featuring simulated wagers and artificial winnings.
Despite the overlapping security and public relations hurdles, Polymarket continues to dominate the decentralized betting ecosystem, maintaining a total value locked (TVL) that exceeds $450 million.












