Polymarket Loses $2.9M in Frontend Attack, Pledges Full Refunds
Polymarket suffered a $2.94 million theft after attackers injected malicious scripts via a compromised third-party vendor. At least 11 users were hit. The platform says it has contained the breach and will fully refund victims. The incident adds to a record-setting Q2 for crypto hacks.
Quick Take
Malicious script injection drained $2.94M from 11+ Polymarket wallets.
Compromised third-party vendor was entry point; now contained.
Polymarket to fully refund victims, dependency removed.
June sees $74.9M crypto exploit losses across 29 incidents.
Market Impact Analysis
BearishConfirmed $2.9M theft from Polymarket may undermine confidence in decentralized prediction markets, though full refunds mitigate long-term damage.
Speculation Analysis
Key Takeaways
- Attackers injected malicious script via a compromised Polymarket third-party vendor, draining $2.94 million from 11+ user wallets.
- Polymarket contained the breach, removed the dependency, and will fully refund all affected users.
- The hack adds to June's $74.9 million in crypto exploit losses across 29 incidents, the second-highest month this quarter.
- Private key compromises account for 43% of recent exploit losses, highlighting ongoing opsec risks.
What Happened
Polymarket's frontend was compromised Thursday after attackers breached a third-party vendor and injected a malicious script. The script triggered phishing prompts that drained users who unknowingly signed transactions. At least 11 wallets were hit for a total of $2.94 million. Polymarket quickly confirmed the breach, removed the infected dependency, and announced that all victims would be fully refunded. The platform stated that the compromise has been contained. No core contracts or protocol funds were affected. This marks the second security incident at Polymarket in a month, following a $600,000 exploit traced to a stale private key.
The Numbers
The $2.94 million theft hits on the heels of a record-setting Q2 for crypto hacking. June alone saw $74.9 million in exploit losses across 29 incidents, up from $60.5 million in May but well below April's $644 million. Private key compromises have been the most common attack vector, responsible for 43% of losses in the past 30 days. Polymarket's total value locked has surged 301% year-over-year to over $450 million, underlining the stakes as the platform scales. The company's quick refund pledge mitigates the direct user impact but does little for broader trust erosion.
Why It Happened
The attack vector was a classic supply chain compromise. A third-party vendor with access to Polymarket's frontend was breached, allowing attackers to slip malicious code onto the site. This code mimicked legitimate wallet interactions but actually siphoned funds. The incident highlights the fragility of web users. Even trusted domains can turn hostile if a dependency is compromised. For Polymarket, the attack follows an earlier exploit tied to a six-year-old private key, suggesting a need for tighter security hygiene across both internal operations and external partnerships.
Broader Impact
This breach lands in a dangerous quarter for crypto security. Q2 is already the most-hacked period on record by incident count. The Polymarket attack reinforces the need for rigorous third-party audits and browser-level safeguards. With prediction markets booming—Polymarket's TVL up 300%—high-value platforms are increasingly in attackers' crosshairs. The full refund promise is a short-term fix, but user confidence in frontend integrity may take a hit.
What to Watch Next
- Scrutiny of third-party integrations: expect other platforms to tighten vendor access and conduct emergency audits.
- Regulatory attention: high-profile hacks on prominent prediction markets could draw even more oversight from global regulators.
- Market reaction: user deposit flows into Polymarket may dip temporarily, though a swift refund could restore activity quickly.
This article is for informational purposes only and does not constitute financial advice.
Always late to trends?
Join for the latest news, insights & more.
Disclaimer: Bytewit is an independent media outlet that delivers news, research, and data.
© 2026 Bytewit. All Rights Reserved. This article is for informational purposes only.
