In brief
- Hackers exploited a compromised third-party vendor to steal about $3 million from a handful of Polymarket users.
- Polymarket says the issue is fixed and affected users will be fully reimbursed.
- It marks the platform's second security incident in two months.
One of Polymarket’s third-party vendors suffered a hack Thursday, the prediction market said, leaving its website vulnerable to an exploit that analysts said led to millions of dollars lost for users of the platform.
Polymarket declined comment when reached by Decrypt, and did not say publicly which of its vendors was compromised. But the attack allowed hackers to inject malicious code into the prediction market’s front-end, the company said in an X post.
Ultimately, the hackers stole some $3 million worth of customer funds.
On-chain sleuths at Bubblemaps concluded that potential damage from the hack was largely contained, with less than 15 user accounts affected. The blockchain investigations firm did not immediately respond to Decrypt’s request for comment.
Some Polymarket accounts affected:
0x349606c1b77F3Ba668879CbC9347f15a44cF8fc4
0xFB84a9d631A3a19204B82c78dFeb90b220255fB5
0x4aeC70021891EA712AAf3e2dD76c30f6b09A4ce9
0x987B441a20Dd4AA4bA6d53069E852E7f820adF43
0x2d7BE5170a8026c18709EAEa1027c7f12E8Ce2Ce…— Bubblemaps (@bubblemaps) June 25, 2026
Polymarket said it is in the process of refunding impacted customers in full, and that the frontend issue has been contained and removed.
It is as of yet unclear what steps the prediction market platform can take to prevent such an exploit from happening in the future, given that it relies on some external, third-party businesses that are apparently directly involved in the site’s operation.
The attackers appear to have drained funds from Polymarket customer wallets containing pUSD, a Polymarket-specific dollar-pegged stablecoin backed by USDC, that is used to facilitate all trading on the platform. They then converted the stolen funds into ETH, and compiled them into an Ethereum wallet, where, as of writing, they remain.
Last month, Polymarket suffered another hack, of a wallet used by company employees to top up and pay out user rewards. The exploit lost the company roughly $700,000, and was likely caused by a private key compromise. It did not appear to impact the company’s infrastructure or pose broader risks, experts said at the time.
Both that exploit and today’s, however, point to the ability of hackers to infiltrate major companies on the margins, even when core protocols remain secure.
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.