Polymarket compensates $3 million in user losses after attack via contractor: incident analysis
Prediction platform Polymarket has officially confirmed a hack that occurred through a compromised third-party contractor, and has promised to fully reimburse affected users for their losses. According to on-chain analysts, the attackers managed to steal approximately $3 million.
According to a statement from the Polymarket team, a malicious script was injected into the frontend for a limited number of users. The issue was contained, and the dependency was removed. Platform representative Connor Brandi confirmed the theft of funds but declined to provide additional comments.
Attack Details and Fund Movements
An analyst under the pseudonym Specter estimated the damage at $2.94 million and reported over 11 compromised wallets. According to PeckShield, the attackers withdrew pUSD tokens (backed 1:1 by USDC via a smart contract on Polygon), then converted them into ETH and consolidated them at a single address on the Ethereum network. At the time of writing the analysis, the funds remained in that wallet.
Bubblemaps clarifies that the attack affected fewer than 15 accounts, and the potential damage was largely contained. It is important to emphasize: the incident impacted the user interface, not Polymarket's underlying smart contracts. The company has not yet disclosed which specific contractor was compromised or how long the malicious code was present on the site.
Systemic Issue: Third Episode in Six Months
This is the second security breach at Polymarket in recent months. In May 2026, the platform faced a leak of a private key for a wallet used for internal operations (damage ~$700,000). And in December 2025, a hack of accounts was recorded due to a vulnerability at a third-party provider — the exact amount of damage and the provider's name were not disclosed at that time.
Expert Commentary from Cryptalist: Recurring incidents involving third-party contractors point to a fundamental problem in vendor risk management. Polymarket, as the largest prediction platform, must immediately implement multi-layered code verification and strict access policies for vendors. Otherwise, user trust, especially ahead of the 2028 elections, could be permanently undermined. For now, full reimbursement of losses is the right step, but an insufficient one.
Against the backdrop of a series of hacks on other protocols (Ekubo, THORChain, Verus, etc.), this incident underscores that even top DeFi platforms are not immune to attacks through human error and external integrations.