Supply Chain Attack Targets Polymarket Frontend
The prediction market platform Polymarket announced on Thursday that a security breach involving a third-party vendor led to hackers stealing user funds. The compromise allowed malicious code to be injected into Polymarket's frontend, affecting some users. Polymarket quickly identified and contained the issue, removing the affected dependency.
Blockchain monitoring firms, including PeckShield and Specter, estimate that the attackers siphoned off approximately $3 million worth of cryptocurrency. This figure was further supported by on-chain analytics firm Bubblemaps, which estimated that fewer than 15 accounts were affected. The stolen assets, primarily PUSD (Polymarket's dollar-pegged stablecoin), were then swapped for Ethereum (ETH) and consolidated into a single wallet, a common tactic to obscure the trail and liquidate funds.
Polymarket Pledges Full Refunds Amidst Growing Security Concerns
In response to the breach, Polymarket has committed to fully refunding all affected users. William LeGate, Polymarket's head of experience, reiterated this commitment on X, stating, "We are refunding affected users in whole, there are no user 'losses'." The company is actively contacting those impacted by the incident.
This incident marks the second security challenge for Polymarket in as many months. In May, the platform experienced a separate hack where approximately $700,000 was lost due to an exploited private key associated with an internal operations wallet. While Polymarket clarified that the previous incident did not involve a breach of its core contracts or infrastructure, these consecutive events are raising concerns about the platform's overall security controls.
The Mechanics of the Attack: Phishing and Malicious Scripts
The recent attack is characterized as a supply chain compromise rather than a direct breach of Polymarket's core infrastructure. Hackers gained access to a third-party vendor, enabling them to inject a malicious script directly into Polymarket's website frontend. This script then facilitated a suspected phishing attack, draining funds from user wallets that interacted with the compromised interface.
Blockchain analyst Specter noted that the attack appeared to be a phishing campaign targeting Polymarket users. The stolen PUSD was rapidly bridged from the Polygon network to Ethereum and converted into roughly 1,893 ETH. This method allowed attackers to bypass Polymarket's core smart contracts, demonstrating the increasing sophistication of attacks that target external service providers and front-end vulnerabilities.
A Broader Landscape of Crypto Security Threats
Polymarket has faced various security challenges, including phishing and social engineering attacks, since last year. These incidents often involve tricking users into providing credentials on fake websites, which then allows attackers to drain their wallets. In a previous instance, a user lost over $2 million after entering a one-time password into a fraudulent website mimicking Polymarket.
The ongoing speculation surrounding a potential POLY token airdrop has also exacerbated the phishing risk. Attackers exploit this anticipation by creating fake eligibility pages and claim portals to lure users into compromising their accounts. Polymarket recently removed language from its FAQ that previously denied plans for a token or airdrop, further fueling this speculation and creating more opportunities for malicious actors.