Polymarket was hacked through a contractor: April warnings turned out to be prophetic
The decentralized prediction platform Polymarket has officially confirmed a security breach. Attackers infiltrated the client-side of the website through a compromised third-party contractor, injecting a malicious script for a subset of users. The team states that the incident has been contained, the dangerous dependency has been removed, and affected users are promised full compensation for their losses.
However, the crypto community is currently embroiled less in debates about the hack itself and more about the negligence of the project's leadership. Users remind that as early as April 2026, they had pointed out this attack vector, but their warnings were ignored and ridiculed.
Timeline of Events and Reaction
Polymarket reported that the attack occurred through a compromised account of an external service provider. This allowed hackers to inject code into the platform's frontend, affecting a limited number of users. The team responded promptly: they removed the infected script and contacted affected users to arrange compensation.
April Warnings: A History of Ignorance
The community's main grievance is not the hack itself, but the fact that it was predicted several months before the incident. One user on X (formerly Twitter) published screenshots dated April 28, 2026, where they detailed the risks of compromise through third-party integrations. According to them, Polymarket at the time publicly mocked such discussions, boasting about its cyber resilience and, in effect, challenging hackers.
"Taunting potential attackers is a sure recipe for disaster, especially for a large platform that is already a prominent target," the user wrote, adding that their arguments were ignored. Now, they believe the incident only confirms the correctness of those who were ridiculed at the time.
This case is not the first and, I fear, far from the last. Polymarket has already been a target for attackers, and the platform's scale makes it a constant target. Ignoring security signals from the community is an alarming sign for the entire DeFi ecosystem.
Analyst's Opinion: Polymarket demonstrated a classic example of "security by obscurity," where a company relies on the absence of attacks rather than proactive defense. The April warnings were not just "crying into the void" but a precise technical analysis of the vulnerability. Ignoring such signals is not a mistake but a systemic failure in security culture, which inevitably leads to losses sooner or later. The prediction market needs not only smart contracts but also smart cybersecurity solutions.