Polymarket Confirms $3M Loss From Compromised Third-Party Front-End

The Breach

Polymarket confirmed that hackers exploited a compromised third-party vendor to inject malicious code into its front-end website, resulting in approximately $3 million drained from user accounts. The attack targeted a supply-chain dependency rather than Polymarket's core infrastructure, a vector that has become increasingly common in cryptocurrency platforms and web applications over the past two years.

Refund Plan

Polymarket said it will issue full refunds to fewer than 15 affected accounts. The company did not disclose the timeline for those refunds or provide details on how many total users accessed the platform while the malicious code was active. No statement was made on whether the third-party vendor's security practices would be audited or replaced going forward.

Response and Ongoing Investigation

The company has not announced a postmortem or technical breakdown of how the malicious code was injected or what data it may have accessed beyond drained balances. Polymarket did not identify the third-party vendor by name or provide specifics on when the breach was discovered and when the malicious code was removed from its website.

Why It Matters

For Traders

The breach appears contained to fewer than 15 accounts, but traders should verify their Polymarket balances and review recent transaction history for unauthorized withdrawals.

For Investors

Third-party supply-chain attacks highlight operational risk for centralized front-ends; the incident underscores the security burden of custody and web infrastructure in prediction markets.

For Builders

Infrastructure teams should audit their vendor dependencies and consider subresource integrity (SRI) hashing and content security policies (CSP) to mitigate malicious injection attacks.