Polymarket Hack: $3M Drained in Supply-Chain Frontend Attack

TLDR:

• Polymarket hack stemmed from a compromised third-party vendor that injected malicious JavaScript into the platform’s frontend.
• Over 11 wallets lost PUSD on Polygon; stolen funds were bridged to Ethereum and swapped into 1,893 ETH.
• Polymarket confirmed the breach within 15 minutes of the first public report and removed the affected dependency.
• Polymarket pledged full refunds to all impacted users while on-chain investigators continue tracking the stolen ETH.

A supply-chain attack hit Polymarket on June 25, 2026, draining close to $3 million from user wallets. Attackers compromised a third-party vendor to inject malicious code into the platform’s frontend.

The script targeted PUSD, Polymarket’s native collateral token on Polygon. At least 11 wallets lost funds before the platform contained the breach.

Polymarket has since removed the affected dependency and pledged full refunds to all impacted users.

How the Attack Reached Polymarket Users

The attack did not target Polymarket’s smart contracts. Instead, attackers breached a third-party vendor that supplied code to the platform’s frontend. That vendor became the entry point for malicious JavaScript delivered directly to users’ browsers.

When affected users connected their wallets, the injected script activated. It prompted them to sign or approve transactions without raising obvious suspicion. Those approvals handed over control of their PUSD holdings to the attacker.

On-chain investigator Specter was the first to flag the activity publicly. His report identified losses of roughly $2.94 million across more than 11 victim wallets. He also named the primary consolidation address: 0xe65b1C586757c5510B60F998Eebb14C1eF71E1eD.

Polymarket confirmed the breach about 15 minutes after Specter’s report. The platform’s public statement read: “This morning we discovered a 3rd party vendor had been compromised, injecting a malicious script into our frontend for some users. We’ve contained it & removed the affected dependency. We’re contacting impacted users & refunding them in full.”

Following the Stolen Funds On-Chain

After the wallets were drained, the attacker moved quickly to obscure the trail. The stolen PUSD was bridged from Polygon to Ethereum shortly after the theft. That cross-chain move is a common step in crypto laundering flows.

Once on Ethereum, the funds were swapped into approximately 1,893 ETH. PeckShield confirmed this detail after amplifying Specter’s initial report. The ETH was then consolidated into the primary wallet flagged by investigators.

Several staging wallets were also identified during the fund movement. These included addresses such as 0xC771A30a, 0xC44F2Ca6, 0x10366AdB, and 0x7BCECe0d. Each one played a role in routing the stolen assets before consolidation.

Despite the volume of stolen PUSD, the token held its peg throughout. CoinGecko data showed it trading near $0.9998 on Polygon after the incident. The theft hit individual wallets rather than the underlying token backing.

What Comes Next for Polymarket

Polymarket has committed to reimbursing every affected user in full. The platform says it is already contacting impacted wallets directly. That pledge covers the losses tied to the supply-chain breach.

This is not the platform’s first perimeter-level security event. In May 2026, a compromised internal ops wallet drained roughly $500,000, though user funds were not touched. Earlier in 2025, comment-section phishing also cost some users funds.

Each of these cases showed that the protocol itself remained intact. The weak points have consistently appeared in the surrounding infrastructure. The June 25 incident follows that same pattern.

The stolen ETH remains traceable on-chain, keeping recovery possible. Investigators continue monitoring the consolidation wallet. The identity of the compromised vendor and the final victim count have not yet been disclosed publicly.