The prediction platform Polymarket has promised to fully reimburse users after an attack via a third-party contractor. On-chain analysts estimate that hackers stole around $3 million.
This morning we discovered a 3rd party vendor had been compromised, injecting a malicious script into our frontend for some users. We've contained it & removed the affected dependency. We're contacting impacted users & refunding them in full.
— Polymarket Traders (@PolymarketTrade) June 25, 2026
"[...] we found that a third-party contractor had been compromised, allowing a malicious script to be injected into the frontend for some users. We have localized the issue and removed the affected dependency. We are reaching out to impacted users and fully reimbursing their losses," representatives of the platform clarified.
Polymarket representative Connor Brandi confirmed to TechCrunch that the incident resulted in the theft of user funds but did not answer additional questions.
Details of the Attack
According to PeckShield, the damage from the attack amounted to approximately $3 million.
— PeckShieldAlert (@PeckShieldAlert) June 25, 2026
An analyst using the pseudonym Specter estimated the losses at around $2.94 million and reported over 11 affected wallets.
It appears there may be a phishing attack targeting Polymarket users, with estimated losses of $2.94M so far.
The attacker has drained funds from 11+ victim wallets holding PUSD, swapped the stolen assets for ETH, and consolidated the proceeds into the following address:… pic.twitter.com/6WfS0JhdDG
— Specter (@SpecterAnalyst) June 25, 2026
According to Bubblemaps, the attack affected fewer than 15 accounts. The company also published some addresses of the affected users and noted that potential damage was largely contained.
Some Polymarket accounts affected:
0x349606c1b77F3Ba668879CbC9347f15a44cF8fc4
— Bubblemaps (@bubblemaps) June 25, 2026
0xFB84a9d631A3a19204B82c78dFeb90b220255fB5
0x4aeC70021891EA712AAf3e2dD76c30f6b09A4ce9
0x987B441a20Dd4AA4bA6d53069E852E7f820adF43
0x2d7BE5170a8026c18709EAEa1027c7f12E8Ce2Ce…
According to Decrypt, the attackers withdrew pUSD from user wallets. According to the platform's documentation, the Polymarket token on the Polygon network is backed by USDC at a 1:1 ratio, with collateral secured on-chain via a smart contract.
After the withdrawal, the assets were exchanged for ETH and consolidated into one Ethereum address. At the time of writing, the funds remained there. Available information indicates that the attack targeted the user interface rather than Polymarket's smart contracts. The company did not disclose which contractor was hacked or how long the code had been on the site.
Third Similar Incident in Six Months
This attack marks the second security incident for Polymarket in recent months. In May, the platform faced a compromise of a wallet's private key used for internal account funding operations. According to Bubblemaps, the damage at that time was around $700,000, but user funds and market permissions were reportedly unaffected.
In a broader context, this is the third similar incident in six months. In December 2025, Polymarket reported the hacking of several user accounts due to a vulnerability in a third-party provider. At that time, the platform did not disclose the exact number of affected users, the amount of damage, or the name of the provider.
It is worth noting that in May, hacker attacks targeted Ekubo, TrustedVolumes, THORChain, Verus, Echo, and Map Protocol.