Polymarket says it has contained a supply chain attack that injected malicious code into its website after a compromised third-party vendor exposed some users to a phishing campaign.
This resulted in roughly $3 million in cryptocurrency theft, which the company says will be fully reimbursed.
In a statement posted yesterday on X, Polymarket said it discovered that a third-party dependency had been compromised, allowing a malicious script to be injected into its frontend for some users. The company said it has removed the affected dependency, contained the incident, and is contacting impacted users.
Blockchain security firm PeckShield said the phishing campaign drained approximately $3 million worth of PUSD from Polymarket users. According to the researchers, the attacker bridged the stolen funds from Polygon to Ethereum, where they were swapped for approximately 1,893 ETH.
Blockchain analytics firm Bubblemaps said its investigation found that fewer than 15 accounts were affected, indicating the attack was largely contained before it spread further. The firm also published wallet addresses belonging to affected users and addresses believed to hold the stolen funds, which can help investigators track any future movement of the cryptocurrency.
Polymarket is a blockchain-based prediction market that allows users to trade on the outcomes of real-world events using cryptocurrency. Built on the Polygon network, the platform has become one of the largest decentralized prediction markets.
The company has not disclosed which third-party vendor was compromised or how long the malicious script remained active. Based on the information released so far, the incident appears to have been a software supply chain attack in which attackers compromised an external dependency used by Polymarket rather than the platform's own infrastructure.
The incident follows another security event involving Polymarket earlier this year. In May, blockchain investigator ZachXBT reported that roughly $520,000 had been drained from two Polygon smart contracts associated with the platform. Polymarket said at the time that the losses were caused by a compromised six-year-old private key tied to an internal operations wallet and were not the result of a protocol or smart contract exploit.
Users who accessed Polymarket during the incident should review recent wallet activity for unauthorized transactions and revoke any unnecessary token approvals.
Leave a Reply