Polymarket takes responsibility: full reimbursement of losses after a $3 million hack via a contractor
The decentralized prediction platform Polymarket has officially confirmed a compromise of its frontend infrastructure through a third-party vendor. Attackers injected a malicious script that affected a subset of users, and according to on-chain analysts, stole approximately $3 million in pUSD tokens. The project's administration has promised to fully compensate all victims for their losses.
Attack Details: Contractor Under Fire
The incident was discovered by the Polymarket team during routine monitoring. It turned out that a third-party contractor responsible for part of the client code had been compromised. This allowed attackers to inject a malicious script directly into the site's frontend, which then intercepted transactions or authorization data from a narrow group of users. The platform quickly isolated the issue and removed the infected dependency.
According to reports from on-chain detectives at PeckShield and an analyst under the pseudonym Specter, the damage ranged from $2.94 million to $3 million. The attackers targeted at least 11 wallets, withdrawing pUSD tokens, which were pegged 1:1 to USDC on Polygon. After the theft, the funds were converted to ETH and moved to a single address on the Ethereum network, where they remain as of the analysis publication. It is important to emphasize: the attack affected the user interface specifically, not Polymarket's underlying smart contracts, ruling out a global protocol risk.
Researchers from Bubblemaps clarified that the number of affected accounts does not exceed 15, confirming the targeted nature of the attack. However, the exact identity of the compromised contractor and the duration of the malicious code's presence on the site have not yet been disclosed.
Alarming Trend: Third Incident in Six Months
This is not the first security breach for Polymarket. In May 2026, the platform faced a compromise of a private key for a wallet used in internal operations, leading to losses of about $700,000. And in December 2025, there was a hack of user accounts through a vulnerability in another third-party provider. Thus, the current attack is already the third such episode in the last six months, indicating a systemic problem in supply chain management and control over third-party integrations.
My analysis: Polymarket is demonstrating the right approach by taking financial responsibility and guaranteeing full compensation. This strengthens community trust in the short term. However, repeated attacks through contractors are a worrying sign. The project needs to radically overhaul its security policy: implement mandatory code audits for all third-party libraries, use isolated environments for script execution, and tighten vendor requirements. Otherwise, reputational risks may outweigh financial compensations.