Polymarket takes responsibility: full refund after a $3 million attack through a contractor
Polymarket prediction market has officially confirmed a compromise of its infrastructure through a third-party vendor and has pledged to fully compensate affected users for their losses. According to on-chain analysts, the attackers managed to withdraw assets worth approximately $3 million.
Incident Details
The attack was detected on the morning of June 25, 2026. It was discovered that a malicious script was injected into the platform's frontend for some users through a compromised third-party contractor. The Polymarket team quickly localized the issue and removed the infected dependency. Platform representative Connor Brandi confirmed the theft of funds but declined to provide additional comments.
According to data from the analytics platform PeckShield, the damage amounted to approximately $3 million. An analyst under the pseudonym Specter specified the figure at $2.94 million and reported over 11 affected wallets. Bubblemaps, in turn, recorded fewer than 15 affected accounts and published some of their addresses, noting that the potential damage was largely contained.
Technical Aspects and Fund Movement
The attackers withdrew pUSD tokens from user wallets. It is worth noting that pUSD is Polymarket's native token on the Polygon network, backed by USDC at a 1:1 ratio through an on-chain smart contract. After the theft, the hackers converted the stolen assets into ETH and consolidated them into a single Ethereum address, where the funds remain at the time of writing this analysis. It is important to emphasize: the attack affected only the user interface, not the platform's smart contracts. Polymarket has not yet disclosed which contractor was hacked or how long the malicious code was present on the site.
Systemic Issue: Third Episode in Six Months
This is already the second security incident for Polymarket in recent months. In May 2026, the platform faced a compromise of the private key for a wallet used for internal account top-up operations. The damage then amounted to about $700,000, although user funds, according to the platform, were not affected. Looking more broadly, this is the third similar case in six months: in December 2025, Polymarket reported a hack of several accounts due to a vulnerability in a third-party provider, without disclosing the amount or the number of victims.
My analysis: Polymarket demonstrates a responsible approach by taking financial responsibility, but three incidents in six months is a warning sign for the entire industry. Dependence on third-party contractors is becoming a critical point of failure. Users should consider: the security of DeFi platforms is often only as strong as the weakest third party in their stack.