The Polymarket hack that rattled the prediction markets world late last week has gotten significantly worse. What initially looked like a roughly $2.9 million phishing incident has now been revised upward to $3.1 million — and the timing couldn’t be more uncomfortable for a platform that’s already juggling a separate federal investigation into its marketing practices.
- The Polymarket hack drained roughly $3.1 million in PUSD tokens from 11 user wallets via a compromised third-party vendor script.
- The Polymarket hack involved funds being immediately bridged from Polygon to Ethereum, complicating recovery efforts for affected users.
- Polymarket pledged full refunds to impacted PUSD holders after removing the malicious frontend dependency.
- The incident adds to a string of security breaches at Polymarket, which is also reportedly under federal investigation over deceptive marketing.
Table of Contents
What the Polymarket Hack Actually Involved
According to blockchain intelligence firm AMLBot, which has been actively tracking the Polymarket hack on X, hackers drained funds from 11 user wallet accounts, making off with roughly $3.1 million worth of PUSD — Polymarket’s native collateral and settlement token used across all trades on the decentralised platform. The stolen assets were held on Polygon but were almost immediately bridged over to Ethereum, a common technique attackers use to obscure the trail and make recovery harder.
Blockchain security firm PeckShield was among the first to publicly flag the Polymarket hack on Thursday, estimating the initial haul at around 1,893 ETH. A separate intelligence platform, Specter Analyst, put early losses at roughly $2.94 million before AMLBot’s updated figure settled at $3.1 million. The incremental revisions upward are typical of these investigations — on-chain forensics take time, and attackers don’t always move everything in one transaction.
Polymarket acknowledged the breach on Thursday via X, confirming a supply chain-style attack rather than a direct exploit of its own code: “This morning we discovered a third party vendor had been compromised, injecting a malicious script into our frontend for some users. We’ve contained it and removed the affected dependency. We’re contacting impacted users and refunding them in full.” The platform says the vulnerability has been neutralised, but as of Saturday morning US time, it hadn’t responded to press inquiries for further detail.
A Phishing Script Hidden in Plain Sight
The mechanics of the Polymarket hack are worth understanding, because they reflect a broader problem plaguing Web3 platforms. This wasn’t a brute-force smart contract exploit or a private key compromise on Polymarket’s own infrastructure. It was a supply chain attack — a malicious actor compromised a third-party vendor whose code was loaded directly into Polymarket’s frontend. When affected users visited the site, that rogue script ran silently in their browser, likely prompting wallet signature requests that drained funds without obvious red flags.
This type of vector has become increasingly popular against crypto platforms precisely because it bypasses the most hardened parts of a protocol. You can have an audited smart contract and a secure backend, and still get taken down by a compromised JavaScript dependency. The SolarWinds attack demonstrated this in traditional enterprise software years ago — crypto platforms are learning the same lesson, often the hard way.
One affected user, going by Ash on X, said his wallet had been drained without any clear indication of how it happened at the time. He publicly shared both his own and the attacker’s wallet addresses — a move that allowed on-chain investigators to begin tracing the funds almost immediately. That kind of transparency from victims is genuinely useful for the forensics community, even if it can’t undo the damage.
The Polymarket Hack Is Part of a Disturbing Pattern
If this were an isolated incident, Polymarket’s swift response and refund pledge might be enough to move past it. But the Polymarket hack in June 2026 is the third notable security event the platform has experienced in less than a year — and that’s a pattern that demands scrutiny.
In December, Polymarket confirmed a security incident on its Discord channel after users began reporting missing funds and suspicious login attempts. The platform attributed those breaches to an unidentified third-party login provider. Then in March, blockchain investigator ZachXBT flagged a suspected breach where over $520,000 was reportedly drained from two smart contracts on the Polygon blockchain. At the time, Polymarket insisted users’ funds were safe — a claim that, given what followed, looks increasingly hollow in retrospect.
Three incidents in under twelve months, spanning login providers, smart contracts, and now frontend dependencies. Each Polymarket hack points the finger at a third party. That may be factually accurate, but it raises a legitimate question about Polymarket’s vendor management and the thoroughness of its security audits. Blaming the supply chain gets harder to accept when the supply chain keeps failing in your direction.
Federal Investigation Adds Pressure at the Worst Time
The security chaos surrounding the Polymarket hack is unfolding against an already difficult backdrop. According to reports prompted by a Wall Street Journal investigation, Polymarket is currently under federal scrutiny over what authorities describe as false or deceptive social media marketing — specifically, users allegedly boasting about winnings in ways designed to lure in new participants. It’s the kind of thing regulators have been watching the prediction markets space for, particularly as platforms like Polymarket have grown dramatically in visibility following high-profile political prediction cycles.
The combination of a federal investigation and a third security breach in less than a year creates a compounding credibility problem. Prediction markets only work if users trust the platform holding their funds. Every incident that erodes that trust — whether it’s a phishing attack or a government probe — chips away at the foundation the whole product is built on.
What Happens to the Stolen PUSD?
AMLBot says it’s continuing to monitor wallets linked to the Polymarket hack, and the bridging of assets from Polygon to Ethereum is a known red flag that investigators track closely. Once funds cross chains, they often pass through mixers or decentralised exchanges to be further obfuscated. Recovery at that point becomes extremely difficult without exchange-level cooperation — and even then, it’s a long shot.
Polymarket’s pledge to refund affected users in full is the right call, and it’s the kind of immediate response that stops a security breach from becoming an existential PR crisis. But it also means the platform is absorbing what is now confirmed to be a $3.1 million loss. For a company reportedly under investigation and navigating a string of breaches, that’s a significant financial and reputational hit to absorb simultaneously.
The broader crypto industry has been wrestling with frontend and supply chain attacks for years, and the defences are improving — but slowly. Subresource integrity checks, stricter content security policies, and more rigorous vendor auditing are all tools available to platforms. Whether Polymarket had any of these in place before the Polymarket hack, and why they weren’t enough, are the questions its security team needs to answer publicly — not just for its own users, but for an industry watching to see how a major platform handles the aftermath of being hit three times in a row.
Source: CoinDesk
