Skip to content
Est. MMXXVIVol. VI · № 302RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 302Frontend Hijack

Polymarket Frontend Supply-Chain Phishing Attack

A compromised third-party vendor injected a malicious script into Polymarket's frontend, phishing approvals that drained about $2.94M in PUSD from user wallets.

Date
Victim
Polymarket
Chain(s)
PolygonEthereum
Status
Funds Stolen

On June 25, 2026, Polymarket — the largest on-chain prediction market — had its frontend weaponized against its own users, draining approximately $2.94 million from at least 11 wallets after attackers injected a malicious script through a compromised third-party vendor. The platform's smart contracts were never touched; the theft happened entirely at the application layer, where users trust the interface they see.

What happened

The attack was a supply-chain compromise rather than a direct breach of Polymarket's own infrastructure. Attackers tampered with the code of a third-party dependency that Polymarket served through its website, and the tainted script was delivered to some users when they loaded the frontend. When a victim connected their wallet, the injected code prompted them to sign or approve transactions that looked routine but instead handed control of their balances to the attacker. The script specifically targeted PUSD, Polymarket's collateral stablecoin on Polygon. Once the approvals were granted, the attacker drained PUSD from the affected accounts, then bridged the proceeds from Polygon to Ethereum and swapped them into roughly 1,893 ETH to liquidate quickly and obscure the trail. Blockchain analyst Specter first flagged the drain on-chain, and security firm PeckShield estimated total losses at around $3 million across more than a dozen victims.

Aftermath

Polymarket said it contained the incident within about 15 minutes of the first public report, removed the affected dependency, and began contacting victims. The company pledged to refund affected users in full, though it did not initially name the compromised vendor or specify how many accounts were hit. Reported losses later crept toward $3.1 million as more wallets were identified, and the refund pledge drew scrutiny over how reimbursement would be verified. Because the stolen funds themselves were not clawed back from the attacker — the proceeds were already bridged and converted to ETH — the incident remains classified as a loss; the promised refunds are reimbursement from Polymarket, not recovery of the stolen assets.

Why it matters

Polymarket is a textbook reminder that a protocol's frontend is part of its attack surface, even when the contracts are flawless. The pattern mirrors BadgerDAO, where a malicious script injected into the web app phished token approvals straight out of users' wallets, and Curve, where attackers hijacked the interface rather than the code. As supply-chain attacks on third-party dependencies grow more common, the lesson is blunt: users cannot tell a poisoned frontend from a clean one, so the burden falls on operators to lock down every dependency that can reach the sign-transaction prompt.

Sources & on-chain evidence

  1. [01]techcrunch.comhttps://techcrunch.com/2026/06/25/polymarket-says-hackers-stole-users-funds/
  2. [02]bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/polymarket-customers-lose-3-million-in-supply-chain-attack/
  3. [03]crypto.newshttps://crypto.news/polymarket-to-refund-users-after-2-94m-frontend-phishing-attack/
  4. [04]crypto.newshttps://crypto.news/polymarket-hack-losses-rise-to-3-1m-as-refund-pledge-faces-scrutiny/
  5. [05]coinmarketcap.comhttps://coinmarketcap.com/academy/article/polymarket-hackers-drain-2-9m-user-wallets-refunds
  6. [06]thenextweb.comhttps://thenextweb.com/news/polymarket-hack-3-million-stolen-third-party-breach
  7. [07]en.cryptonomist.chhttps://en.cryptonomist.ch/2026/06/26/polymarket-phishing-attack-loss/

Related filings