Wednesday, July 1, 2026
  • About us
  • Advertise
  • Contact Us
  • Privacy & Policy
The iGaming Europe
Advertisement
  • Home
  • Categories
    • Industry Trends
    • Announcements
    • Business Strategy
    • Industry PR
    • Featured
  • Regions
    • Nordics
    • Southern
    • Western
    • Eastern
    • Central
    • UKI
    • DACH
    • MGA
    • LatAM
    • North America
    • Oceania
    • Asia
  • Leadership Appointment
  • Financial Report
  • Regulatory Compliance
  • About us
No Result
View All Result
Subscribe
  • Home
  • Categories
    • Industry Trends
    • Announcements
    • Business Strategy
    • Industry PR
    • Featured
  • Regions
    • Nordics
    • Southern
    • Western
    • Eastern
    • Central
    • UKI
    • DACH
    • MGA
    • LatAM
    • North America
    • Oceania
    • Asia
  • Leadership Appointment
  • Financial Report
  • Regulatory Compliance
  • About us
No Result
View All Result
Subscribe
The iGaming Europe
No Result
View All Result

Home » Polymarket Loses $3.1M in Third-Party Vendor Hack

Polymarket Loses $3.1M in Third-Party Vendor Hack

Marta Sander by Marta Sander
June 30, 2026
in Regulatory Compliance
Reading Time: 3 mins read
Hackers compromised a third-party vendor to inject a malicious script into Polymarket's frontend, stealing $3.1 million in cryptocurrency from 11 users on June 25, 2026.

Hackers compromised a third-party vendor to inject a malicious script into Polymarket's frontend, stealing $3.1 million in cryptocurrency from 11 users on June 25, 2026.

Polymarket confirmed on June 25, 2026 that attackers had compromised a third-party vendor and used it to inject a malicious script into the prediction market platform’s frontend, stealing approximately $3.1 million in cryptocurrency from user accounts. The platform says it has contained the breach and is refunding affected users in full.

How the attack unfolded

The vector was a supply chain attack: rather than targeting Polymarket’s own infrastructure directly, the attackers compromised an unnamed external vendor whose code ran on the platform’s frontend. That script intercepted user funds for some visitors to the site before Polymarket identified and removed the affected dependency.

Polymarket announced the incident the same day it was discovered:

“This morning we discovered a 3rd party vendor had been compromised, injecting a malicious script into our frontend for some users. We’ve contained it and removed the affected dependency. We’re contacting impacted users and refunding them in full.”

Blockchain monitoring firm PeckShield estimated that 11 users suffered losses in the attack. Polymarket has not officially confirmed the number of affected accounts, named the compromised vendor, or attributed the attack to a specific actor.

RELATEDPOSTS

Labour MP Calls for New Gambling Act as MGD Reform Gathers Steam

Austria Opens Gambling Liberalisation Consultation with €10m Capital Floor

Brazil’s SPA Blocks Betano Social Sharing Features

User claims prior warning went unheeded

Since Polymarket’s announcement, the platform has faced criticism from users who say they had previously flagged security vulnerabilities. The company has not publicly addressed those claims.

At least one of the users who lost funds offered a possible explanation for how the attack reached them personally. The user wrote:

“My Polymarket account was hacked. I recently bought a VPS from Xorek Cloud and stored my private key on it. I’m not sure how the compromise happened, but that’s the only possible security risk I can think of.”

The account does not conclusively establish how the attacker accessed that user’s funds, and Polymarket has not verified or commented on it. Private key storage on third-party servers is a recognised security risk in cryptocurrency environments regardless of any platform-level breach.

Refunds in process, timeline unclear

Polymarket has committed to full refunds but has not given a timeline for when affected users will receive them. The platform operates on USDC and uses Polygon-based smart contracts, which means refunds involve on-chain transactions that can be tracked publicly once initiated.

The attack adds to a difficult regulatory period for Polymarket. The platform was blocked in Spain alongside Kalshi in May 2026 following a licensing crackdown, and continues to operate without local licences in most European jurisdictions. A proposed EU framework for prediction markets being explored by Malta has not yet advanced to legislation.

Supply chain attacks of this type — where a legitimate vendor relationship is used to distribute malicious code — have become a recognised threat to web-based financial platforms. For a platform handling cryptocurrency directly from user wallets, a frontend injection is particularly damaging: users have no way to identify a compromised script before interacting with it. How quickly Polymarket can complete refunds and independently verify the breach scope will determine how much lasting trust damage the incident causes.

Source: Polymarket

ShareTweet2Share2SendShareSendSummarize
Previous Post

Austria Opens Gambling Liberalisation Consultation with €10m Capital Floor

Next Post

Labour MP Calls for New Gambling Act as MGD Reform Gathers Steam

Marta Sander

Marta Sander

Marta brings over 10 years of specialized experience covering online casino games, game development, and supplier partnerships across the iGaming industry. Her investigative work has covered major industry developments including Curaçao licensing reforms, UK white paper implementations, and German interstate treaty amendments. She maintains close relationships with regulatory bodies, legal experts, and compliance professionals to deliver accurate, timely reporting that helps businesses stay ahead of regulatory change. Beyond product reviews and operator analysis, Marta provides technical insights into sportsbook platforms, payment processing, risk management systems, and data feed integrations that power modern betting experiences. Her content serves B2B professionals evaluating platform providers, odds suppliers, and trading solutions.

loader
The iGaming Europe

The iGaming Europe Newsletter

Industry intelligence delivered weekly.


I accept the terms and conditions

FOLLOW US

LinkedIn Telegram Twitter

LATEST

Labour MP Alex Ballinger, co-chair of the APPG for Gambling Reform, has called for a new Gambling Act at an SMF panel on machine gaming duty, citing the scale of change since 2005.

Labour MP Calls for New Gambling Act as MGD Reform Gathers Steam

June 30, 2026
Hackers compromised a third-party vendor to inject a malicious script into Polymarket's frontend, stealing $3.1 million in cryptocurrency from 11 users on June 25, 2026.

Polymarket Loses $3.1M in Third-Party Vendor Hack

June 30, 2026
Austria has published draft licensing conditions for its online gambling market, setting a €10m share capital requirement and targeting an October 2027 launch under the country's biggest gambling reform in 26 years.

Austria Opens Gambling Liberalisation Consultation with €10m Capital Floor

June 30, 2026
Brazil's Secretariat of Prizes and Betting has ruled that Kaizen Gaming's Betano cannot introduce social sharing features on its platform, citing an existing ban on social interaction tools under Ordinance SPA/MF No. 722/2024.

Brazil’s SPA Blocks Betano Social Sharing Features

June 30, 2026
Greece's Hellenic Gaming Commission has lodged criminal complaints against 18 influencers and streamers for promoting unlicensed betting platforms, as parliament passes sweeping new gambling legislation.

Greece Files Criminal Charges Against 18 Influencers Over Illegal Gambling

June 30, 2026
Load More

POPULAR

Malta Prime Minister Robert Abela has confirmed the country will use its veto to block any EU-level gambling levy as member states begin negotiating the bloc's next long-term budget.

Malta to Veto Any EU Gambling Tax Proposal

June 25, 2026
Spain's Council of Ministers approved a royal decree on 23 June 2026 setting shared deposit caps of €700/day, €1,750/week and €3,300/four weeks across all licensed online operators.

Spain Sets Cross-Operator Online Gambling Deposit Limits

June 25, 2026
Georgia's parliament is considering draft legislation that would create a 5% GGR tax licence for online gambling operators serving only foreign customers.

Georgia Plans 5% GGR Licence for Foreign-Only Online Gambling

June 25, 2026
The world's largest online casino and betting operators ranked by monthly traffic, with revenue data, licensing context and operator profiles across 17 global markets.

The world’s most-visited online gambling domains tell a story most industry reports miss

March 17, 2026
The iGaming Europe

2026 All rights reserved | iO Media Group

  • About us
  • Advertise
  • Contact Us
  • Privacy & Policy

No Result
View All Result
Subscribe
  • Home
  • Categories
    • Industry Trends
    • Announcements
    • Business Strategy
    • Industry PR
    • Featured
  • Regions
    • Nordics
    • Southern
    • Western
    • Eastern
    • Central
    • UKI
    • DACH
    • MGA
    • LatAM
    • North America
    • Oceania
    • Asia
  • Leadership Appointment
  • Financial Report
  • Regulatory Compliance
  • About us

2026 All rights reserved | iO Media Group

This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy and Cookie Policy.