Polymarket's turbulent June just reached a new low on Thursday when the prediction market confirmed that a compromised third-party vendor allowed attackers to add malicious JavaScript into its frontend, draining an estimated $2.94 million from at least 11 user wallets in a single morning.

Polymarket confirmed the breach about 15 minutes after on-chain investigator Specter flagged the activity publicly, posting on X: "This morning, we discovered a 3rd party vendor had been compromised, injecting a malicious script into our frontend for some users. We've contained it and removed the affected dependency. We're contacting impacted users and refunding them in full."

The attack was a classic supply-chain compromise. The malicious script targeted PUSD, Polymarket's native collateral token on Polygon, PUSD is an ERC-20 token backed 1:1 by USDC and, since its rollout in April 2026, has become the primary asset used for trading across the platform.

When affected users connected their wallets, the corrupted code prompted them to approve unauthorized transactions. The stolen PUSD was then bridged from Polygon to Ethereum and swapped into an estimated 1,893 ETH, which was then merged into a single attacker-controlled address.

Blockchain analytics firm Bubblemaps confirmed the damage was largely contained to fewer than 15 wallets, calling it a "great response by Polymarket." PeckShield independently confirmed the aproximately $3 million figure.

Polymarket has declined to name the compromised vendor, and its spokesperson confirmed the breach to TechCrunch while refusing to answer some specific questions about it.

What makes this incident particularly damaging is the timing as the hack landed just days after a Wall Street Journal investigation revealed that Polymarket paid college-age creators to produce over 1,100 TikTok videos showing fabricated wins on dummy sites built to resemble the platform.

Creators were paid $2,000–$3,000 per month and instructed not to disclose the partnership, with a total of $1.9 million in fabricated winning bets across the content. Polymarket has since launched an internal audit of its promotional content.

This is Polymarket's second confirmed security incident in under two months. In May 2026, an internal operations wallet used for employee top-ups and reward payouts was drained of roughly $700,000 through a private key compromise a breach that, at the time, the platform stressed did not touch user funds.

Both incidents point to the same internal vulnerability, the ability of attackers to infiltrate major platforms on the margins, even when core smart contracts remain in place. The protocol hasn't broken but the perimeter keeps failing.

With $450 million in total value locked and growing regulatory scrutiny, how Polymarket handles vendor vetting and frontend integrity checks going forward will matter far more than either breach in isolation. Two incidents in eight weeks is starting to look like a pattern.


Delogg Media