On June 25, 2026, Polymarket discovered that a third-party vendor had been compromised, allowing malicious JavaScript to be injected into the platform's frontend. The attack tricked users into signing fraudulent transactions directly on the official site, draining roughly $3 million in PUSD from fewer than 15 accounts. The platform has guaranteed full reimbursement and confirmed that its servers, backend, and smart contracts were not breached.
- Frontend supply-chain attack: third-party vendor compromised, malicious JavaScript injected on Polymarket's official site
- Estimated loss of roughly $3 million (nearly $2.94 million per Specter), drained from fewer than 15 accounts and converted into approximately 1,893 ETH
- Polymarket's smart contracts, servers, and backend found intact; the attack exploited the trust boundary between user and web interface
- According to the source, this is the second security incident in two months following an admin wallet compromise in May 2026 with estimated losses between roughly $520,000 and $700,000
The Deception Mechanism: Compromised Frontend, Seemingly Legitimate Transactions
The attack did not touch Polymarket's core infrastructure. According to the platform's X post cited by SecurityWeek, a third-party vendor was compromised and allowed a malicious script to be injected into the frontend "for some users." Users were induced to sign PUSD token transfers — Polymarket's USDC-collateralized stablecoin — to addresses controlled by the attacker.
The nature of the attack makes defense particularly insidious. Users interacted with the official domain, saw familiar interfaces, and signed transactions that appeared legitimate. The problem lay not in the smart contract code — verified and intact — but in the chain of trust connecting the user to the protocol through the browser.
"This morning we discovered that a third-party vendor was compromised, injecting a malicious script into our frontend for some users. We have contained the incident and removed the affected dependency" — Polymarket, post on X (via SecurityWeek)
Fund Flow: From Polygon to Ethereum, Approximately 1,893 ETH
After draining the wallets, the attacker moved the funds. According to PeckShield, cited by BleepingComputer, the stolen funds were bridged from Polygon to Ethereum and converted into approximately 1,893 ETH. The addresses involved are documented by analysts.
Specter identified 11 victim wallets, while Bubblemaps estimated the total at fewer than 15 accounts. With a total loss of roughly $2.94 million per Specter, the average per account exceeds approximately $267,000. The numbers confirm the attack targeted high-value accounts rather than indiscriminate collection.
The ICE Context: Valuation and Institutional Investment
Polymarket is valued at roughly $9 billion and has received an investment of approximately $2 billion from Intercontinental Exchange (ICE), operator of the New York Stock Exchange. The platform represents one of the most significant cases of prediction market institutionalization, backed by traditional financial actors.
The June 25, 2026 incident highlights that the compromise of a single third-party vendor — whose name Polymarket has not disclosed — was enough to subvert user trust in the official interface. Investment in smart contract auditing and blockchain infrastructure protection did not extend to the frontend dependency supply chain.
What Changes
The brief contains no detailed operational recommendations. The analysis is based on converging editorial sources; no primary technical advisory with CVE is available. Based on the documented facts, the following contextual elements emerge:
- Polymarket removed the compromised dependency and contained the incident, but has not disclosed the name of the third-party vendor involved
- The source does not specify the duration of the malicious script's presence before detection
- The platform promised full reimbursement to affected users, as confirmed by William LeGate, Polymarket's head of experience: "We are refunding affected users in whole, there are no user 'losses'"
- Comparison with the May 2026 incident — an admin wallet compromise with estimated losses between roughly $520,000 and $700,000 — shows two different vectors: key management in the first case, frontend supply chain in the second
Why It Matters
The June 25, 2026 incident illustrates a recurring pattern in DeFi protocols: smart contract security does not protect against attacks that exploit the user interface. Polymarket users lost roughly $3 million not because of a protocol vulnerability, but because they signed transactions that appeared legitimate on the official domain.
Polymarket's response — full reimbursement and containment — mitigated the direct impact, but the lack of disclosure about the compromised vendor limits risk assessment by users and investors. At a valuation of roughly $9 billion, frontend supply-chain governance becomes a relevant element for due diligence.
The case arrives amid growing scrutiny of prediction markets. Election betting on Polymarket has drawn regulatory attention, and a security incident that directly hits users — even with reimbursement — adds a variable to the debate over oversight of platforms operating at the boundary between decentralized finance and traditional markets.
The analysis is based on converging editorial sources; no primary technical advisory with CVE is available. The exact mechanism of the third-party vendor compromise and the duration of the malicious script's presence have not been disclosed by available sources.
Information has been verified against cited sources and updated at time of publication.
Sources
- https://www.bleepingcomputer.com/news/security/polymarket-customers-lose-3-million-in-supply-chain-attack/
- https://www.securityweek.com/3-million-reportedly-stolen-in-polymarket-hack/
- https://www.coingabbar.com/en/crypto-currency-news/polymarket-security-breach-breaking-news
- https://cryip.co/polymarket-frontend-hack-third-party-vendor-3-million-june-2026/
- https://tokenmetrics.com/polymarket/news/polymarket-users-lose-3-million-frontend-hack/
- https://yellow.com/news/polymarket-frontend-hack-repayment
- https://securityaffairs.com/194266/security/third-party-breach-at-polymarket-leads-to-2-94m-crypto-theft.html
- https://ts2.tech/en/polymarket-hack-puts-ice-backed-prediction-market-in-focus/
- https://resecurity.com/
- https://securityaffairs.com/
- https://securityaffairs.com/extended-cookie-policy