Polymarket suffered a security breach Thursday after hackers exploited a compromised third-party vendor, the prediction market platform announced. The attack enabled malicious code injection into Polymarket's frontend, resulting in the theft of approximately $3 million in customer funds from fewer than 15 user accounts, according to blockchain investigations firm Bubblemaps. The incident marks Polymarket's second security breach in two months, following a prior exploit last month that cost the company roughly $700,000 from a compromised employee wallet used for user rewards.
Hackers Injected Malicious Code Through Compromised Vendor
The attackers exploited a third-party vendor to inject malicious code into Polymarket's website frontend, the company stated in an X post. Polymarket declined to identify which vendor was compromised when contacted by Decrypt. The breach allowed hackers to drain funds from customer wallets containing pUSD, a Polymarket-specific dollar-pegged stablecoin backed by USDC used for all platform trading. The stolen funds were then converted into ETH and consolidated into an Ethereum wallet, where they remain as of writing. On-chain investigators at Bubblemaps identified specific affected wallet addresses, concluding that potential damage was largely contained with less than 15 user accounts impacted.
Polymarket Commits to Full Refunds for Affected Users
Polymarket announced it is refunding all impacted customers in full. The company stated the frontend issue has been contained and removed. Polymarket did not specify what measures it will implement to prevent future exploits involving third-party vendors that are directly involved in the site's operation.
Platform Experienced $700,000 Exploit Last Month
Last month, Polymarket suffered a separate hack targeting a wallet used by company employees to top up and pay out user rewards. That exploit resulted in approximately $700,000 in losses and was likely caused by a private key compromise, according to the company. Security experts stated at the time that the incident did not appear to impact the company's infrastructure or pose broader risks. Both exploits demonstrate hackers' ability to infiltrate major platforms through peripheral vulnerabilities even when core protocols remain secure.
FAQ
How much did hackers steal from Polymarket users in the Thursday exploit?
Hackers stole approximately $3 million worth of customer funds from fewer than 15 user accounts, according to blockchain investigations firm Bubblemaps.
What caused the Polymarket security breach on Thursday?
The breach occurred after hackers exploited a compromised third-party vendor to inject malicious code into Polymarket's website frontend, enabling unauthorized access to customer wallets containing pUSD stablecoin.
Will Polymarket users affected by the hack receive refunds?
Polymarket announced it is refunding all impacted customers in full and stated the frontend vulnerability has been contained and removed.
