Polymarket takes responsibility: full reimbursement of losses after a $3M attack via a contractor
The decentralized prediction market platform Polymarket has officially stated its readiness to fully compensate users who suffered losses as a result of a recent cyberattack. According to on-chain analytics, the incident affected more than a dozen wallets, with total damages estimated at approximately $3 million.
According to the team's official statement, the attackers compromised a third-party contractor by injecting a malicious script into the platform's frontend for some users. The issue was promptly contained, and the infected dependency was removed. Polymarket is already contacting affected users and guarantees full reimbursement of lost funds.
Attack Details and Fund Movement
Analysts from PeckShield confirmed that the attack was phishing in nature. The attackers withdrew pUSD tokens from victims' wallets. For context, pUSD is Polymarket's internal stablecoin based on Polygon, backed by USDC at a 1:1 ratio through an on-chain smart contract. After the theft, the assets were converted to ETH and transferred to a single address on the Ethereum network, where, at the time of writing the analysis, the funds remained untouched.
An expert under the pseudonym Specter estimated the damages at $2.94 million and identified more than 11 affected addresses. Data from Bubblemaps also indicates that the attack impacted fewer than 15 accounts, and the potential damage was largely contained. It is important to emphasize that the incident only affected the user interface, not the platform's smart contracts themselves, which is a critical distinction from protocol-level attacks.
Systemic Issue: Third Incident in Six Months
This is not the first security breach for Polymarket. In May 2026, the platform faced a compromise of a private key for an internal operations wallet, resulting in losses of approximately $700,000. And in December 2025, a hack of user accounts was recorded due to a vulnerability in a third-party provider. According to the team, both previous incidents did not affect users' principal funds or resolved markets.
Analytical Commentary: Repeated attacks through third parties are an alarming signal for the entire DeFi ecosystem. Polymarket demonstrates the right approach by taking financial responsibility, but the root of the problem lies in insufficient control over the software supply chain. Until platforms implement multi-layered checks and isolation of third-party scripts, such incidents will recur, undermining trust in seemingly reliable protocols.