Polymarket Takes Responsibility: Full Reimbursement of Losses After Hack via Third-Party Contractor
Prediction market platform Polymarket has announced full reimbursement for users affected by a recent attack. According to on-chain analysts, the incident resulted in the theft of approximately $3 million in assets. The attackers compromised a third-party contractor's infrastructure, allowing them to inject a malicious script into the platform's user interface.
The Polymarket team responded quickly to the threat: they isolated the issue, removed the infected dependency, and have already contacted affected users for full reimbursement. Platform representative Connor Brandi confirmed the theft of funds but declined to provide additional comments.
Attack Details and Scale of Damage
According to data from analytics firm PeckShield, the damage from the attack amounts to approximately $3 million. An analyst under the pseudonym Specter specified that losses are estimated at $2.94 million, with more than 11 user wallets affected. The attackers withdrew pUSD tokens from victims' wallets, then converted them into ETH and consolidated them on a single Ethereum address. At the time of the analysis, the funds were still located at that address.
It is important to emphasize: the attack affected only the user interface, not Polymarket's smart contracts. This means the protocol's fundamental security was not compromised. Nevertheless, the platform has not yet disclosed which contractor was hacked or how long the malicious code was present on the site. Data from Bubblemaps indicates that fewer than 15 accounts were affected, suggesting partial containment of the damage.
Systemic Issue: Third Incident in Six Months
This attack is not the first security breach at Polymarket in recent months. In May 2026, the platform faced a compromise of a private key for a wallet used in internal operations. The damage then amounted to approximately $700,000, but user funds were not affected, according to the team.
Another similar episode occurred in December 2025, when hackers breached several user accounts due to a vulnerability at a third-party provider. In that case, the platform also did not disclose the exact number of victims or the amount of damage.
This series of incidents raises serious questions about Polymarket's operational security. Although the platform demonstrates a willingness to reimburse losses, repeated attacks through third-party contractors point to a systemic vulnerability in the supply chain. To strengthen community trust, Polymarket must not only pay compensation but also implement stricter audit and monitoring procedures for its integrations.
Cryptalist Expert Opinion: Polymarket, as a leader in decentralized predictions, should view these incidents as a wake-up call. Full reimbursement is correct but insufficient. The industry needs preventive measures, not reactive ones. If the platform does not overhaul its security model, reputational risks may exceed financial losses.