Attack on Polymarket via a third-party contractor: platform promises full reimbursement of losses
The prediction market platform Polymarket has confirmed an attack that led to the theft of approximately $3 million from users. The incident occurred due to the compromise of a third-party contractor, which allowed attackers to inject a malicious script into the website's frontend. Polymarket representatives stated that they have already localized the issue and removed the dangerous dependency, and affected users will be fully compensated for their losses.
Attack Details and Scale of Damage
According to on-chain analysts, the attack affected fewer than 15 accounts. The attackers withdrew pUSD tokens from users' wallets. For context, pUSD is Polymarket's native stablecoin on the Polygon network, backed by USDC at a 1:1 ratio via a smart contract. After the withdrawal, the stolen assets were converted into ETH and consolidated at a single Ethereum address. At the time of analysis, the funds remained at this address, indicating that the attackers may be waiting for a favorable moment to launder them.
It is important to emphasize: the attack targeted the user interface specifically, not the platform's smart contracts. This means that Polymarket's underlying infrastructure remained untouched, which somewhat reduces systemic risks but does not diminish the severity of the incident for those affected.
Alarming Trend: Third Incident in Six Months
This is not the first time Polymarket has faced security issues. In May 2026, the platform reported the compromise of a private key for a wallet used for internal operations. The damage then amounted to approximately $700,000, although user funds were officially unaffected. And in December 2025, several accounts were hacked due to a vulnerability at a third-party provider — the exact amounts and number of victims were not disclosed at the time.
Such recurring incidents, especially involving third-party contractors, raise serious questions about Polymarket's due diligence and risk management processes. For a platform aspiring to leadership in the prediction market sector, these kinds of "teething problems" in security are unacceptable.
My Expert Commentary
Despite the swift response and promise of full compensation, Polymarket needs to fundamentally rethink its security model. Repeated attacks through third-party contractors point to a systemic issue in the software supply chain. The market needs not just promises of compensation, but transparent audits and the implementation of multi-layered protection, including isolating critical components from third-party dependencies. Otherwise, the next incident could prove fatal to user trust.