Polymarket Says $3 Million Stolen in Supply-Chain Hack, Begins Full Refunds

Polymarket said about $3 million of user assets was stolen after its website was compromised through a hack at a third-party service provider. The decentralized prediction-market platform has begun reimbursing all affected users.

Decrypt reported on June 25 that the attack stemmed from a breach at one of Polymarket’s third-party vendors. The attacker used that access to inject malicious code into the front end of Polymarket’s website and steal assets from some users’ wallets.

Onchain analytics firm Bubblemaps estimated that fewer than 15 accounts were affected and that roughly $3 million was taken.

Polymarket said it has removed the malicious code and resolved the website security issue. The company is providing full refunds to all affected users.

The attacker stole pUSD, the dollar-pegged stablecoin used for trading on Polymarket, from users’ wallets, then swapped it for Ether and moved the funds to a single wallet. pUSD is a Polymarket-specific stablecoin issued against Circle’s dollar-backed USDC as collateral.

The incident was an attack on an external service supply chain rather than on Polymarket’s core protocol. The breach highlighted the importance of supply-chain security because the attacker targeted a partner company instead of the platform’s core systems to reach user assets.

Last month, Polymarket also suffered an attack on a wallet used for employee compensation, in what was believed to be a private-key leak, resulting in about $700,000 in losses. At the time, the company said its internal infrastructure and user assets were not directly affected. A second security incident in two months is adding to concerns about its security controls.