Attackers injected a malicious script into Polymarket via a third-party provider. We break down what happened and how serious it is.
Prediction market platform Polymarket has confirmed that on June 26, attackers compromised a third-party provider and injected a malicious script into the site’s frontend. According to on-chain analysts, hackers drained about $2.9M from at least 11 user crypto wallets.
Hot topic: Bitcoin Recovery Could Stretch Into August Even if Bottom Holds
The company says it has fixed the vulnerability and will fully reimburse affected customers.
Contents
How the Polymarket Attack Happened: Frontend Exploit and Stolen pUSD
Analyst Specter was the first to flag suspicious activity. Hackers used a malicious script for a phishing attack targeting users holding funds in pUSD, Polymarket’s USDC▼$0.9997-backed stablecoin. According to PeckShield, the stolen funds were bridged from Polygon to Ethereum and converted to 1,893 ETH▼$1,547.08.
Bubblemaps estimated the number of affected accounts at fewer than 15, with total losses around $3M.
Polymarket confirmed the incident in its official Polymarket Traders account:
Read more: Best Prediction Markets APIs for Builders in 2026
Second Polymarket Incident in a Month
This is Polymarket’s second security breach in the past two months. In May, the platform reported a $700K internal operations wallet hack caused by a six-year-old private key compromise. That incident did not affect user funds but exposed internal infrastructure vulnerabilities.
The latest attack comes as Polymarket is already dealing with reputational issues. The WSJ recently reported that the platform paid content creators to film fake bets on lookalike sites. Earlier in June, a scandal erupted over the resolution of a market on Strategy’s bitcoin sale.
Despite these challenges, Polymarket remains the largest prediction market platform with total value locked exceeding $450M, up 301% from $112M a year ago.
Learn more: What Is Crypto Cybersecurity? The Ultimate Guide to Protecting Digital Assets
