Polymarket confirmed on June 25, 2026 that attackers had compromised a third-party vendor and used it to inject a malicious script into the prediction market platform’s frontend, stealing approximately $3.1 million in cryptocurrency from user accounts. The platform says it has contained the breach and is refunding affected users in full.
How the attack unfolded
The vector was a supply chain attack: rather than targeting Polymarket’s own infrastructure directly, the attackers compromised an unnamed external vendor whose code ran on the platform’s frontend. That script intercepted user funds for some visitors to the site before Polymarket identified and removed the affected dependency.
Polymarket announced the incident the same day it was discovered:
“This morning we discovered a 3rd party vendor had been compromised, injecting a malicious script into our frontend for some users. We’ve contained it and removed the affected dependency. We’re contacting impacted users and refunding them in full.”
Blockchain monitoring firm PeckShield estimated that 11 users suffered losses in the attack. Polymarket has not officially confirmed the number of affected accounts, named the compromised vendor, or attributed the attack to a specific actor.
User claims prior warning went unheeded
Since Polymarket’s announcement, the platform has faced criticism from users who say they had previously flagged security vulnerabilities. The company has not publicly addressed those claims.
At least one of the users who lost funds offered a possible explanation for how the attack reached them personally. The user wrote:
“My Polymarket account was hacked. I recently bought a VPS from Xorek Cloud and stored my private key on it. I’m not sure how the compromise happened, but that’s the only possible security risk I can think of.”
The account does not conclusively establish how the attacker accessed that user’s funds, and Polymarket has not verified or commented on it. Private key storage on third-party servers is a recognised security risk in cryptocurrency environments regardless of any platform-level breach.
Refunds in process, timeline unclear
Polymarket has committed to full refunds but has not given a timeline for when affected users will receive them. The platform operates on USDC and uses Polygon-based smart contracts, which means refunds involve on-chain transactions that can be tracked publicly once initiated.
The attack adds to a difficult regulatory period for Polymarket. The platform was blocked in Spain alongside Kalshi in May 2026 following a licensing crackdown, and continues to operate without local licences in most European jurisdictions. A proposed EU framework for prediction markets being explored by Malta has not yet advanced to legislation.
Supply chain attacks of this type — where a legitimate vendor relationship is used to distribute malicious code — have become a recognised threat to web-based financial platforms. For a platform handling cryptocurrency directly from user wallets, a frontend injection is particularly damaging: users have no way to identify a compromised script before interacting with it. How quickly Polymarket can complete refunds and independently verify the breach scope will determine how much lasting trust damage the incident causes.
Source: Polymarket









