Polymarket Hack Hits $3.1M: What We Know
Hackers drained about $3.1 million in PUSD from 11 Polymarket wallets after a compromised vendor injected a malicious script. Here is what happened.
Founder & Lead Technician
Quick answer
Hackers stole roughly $3.1 million in Polymarket PUSD from 11 user wallets after a compromised third-party vendor injected a malicious script into the platform frontend. Funds moved from Polygon to Ethereum, and Polymarket has pledged full refunds to affected holders.
Hackers drained $3.1 million from Polymarket in a frontend phishing attack
Hackers stole roughly $3.1 million in Polymarket PUSD from 11 user wallets after a compromised third-party vendor injected a malicious script into the platform frontend. That is the updated figure from blockchain intelligence firm AMLBot, which raised its earlier estimate over the weekend as it kept tracking the stolen funds.
The breach is trending now for two reasons. The dollar amount climbed days after Polymarket publicly promised full refunds, and the attack landed while the prediction-market giant is reportedly under federal investigation over allegedly deceptive social media promotions. A platform already under a regulatory cloud just got hit again.
AMLBot said on X on Saturday that the assets were pulled from the Polygon network and immediately bridged to Ethereum, and that it continues to monitor the linked Polymarket accounts. Polymarket did not respond to a CoinDesk request for comment as of Saturday morning US time.
How the attack actually worked
This was not a break of Polymarket smart contracts. It was a supply-chain compromise of the website itself.
According to Polymarket, a third party vendor it relies on was breached, and the attacker used that access to slip a malicious script into the frontend served to some users. In plain terms, the page people loaded in their browser was quietly altered. When a user went to interact with the platform, the injected code steered them into approving transactions that handed their funds to the attacker rather than to Polymarket.
That is why this is described as a phishing attack even though no fake email was involved. The trusted site itself was serving the trap. Blockchain security firm PeckShield reported on Thursday that hackers had deployed a phishing campaign targeting Polymarket users and had bridged the stolen funds, initially estimated at roughly 1,893 ETH. Another intelligence platform, Specter Analyst, flagged the same incident on Thursday with an early loss estimate of about $2.94 million, a number that has since grown.
The stolen asset is PUSD, Polymarket native collateral and settlement token used for all trading on the platform. Because every trade settles in PUSD, a wallet drained of it is stripped of the balance that powers activity on the site.
Urgent advisory: if you hold PUSD or have interacted with Polymarket in recent days, treat any pending transaction approvals as suspect, revoke unfamiliar token allowances from your wallet, and verify refund communications only through Polymarket official channels rather than direct messages.
Polymarket response and the refund promise
Polymarket moved quickly in public. This morning we discovered a third party vendor had been compromised, injecting a malicious script into our frontend for some users, the platform said Thursday on X. We have contained it and removed the affected dependency. We are contacting impacted users and refunding them in full.
So the company has done three things on the record: identified the compromised dependency, removed it from the frontend, and committed to making affected PUSD holders whole. One victim, posting as Ash on X, wrote that his wallet had been hacked and that he had no idea why at the time, and shared both his address and the attacker address.
The catch is timing. The refund pledge came before AMLBot revised the loss figure upward to about $3.1 million, which means the final cost of those refunds may be larger than Polymarket signaled when it first responded.
A pattern of security incidents
This is not an isolated stumble. Polymarket has logged a string of security problems over the past several months.
| When | Incident | Reported impact |
|---|---|---|
| This week | Malicious script injected via compromised vendor (phishing) | About $3.1 million in PUSD from 11 wallets |
| March | Suspected breach flagged by investigator ZachXBT | Over $520,000 reportedly drained from two Polygon smart contracts |
| December | Account breaches tied to a third-party login provider | Missing funds and suspicious login attempts reported by users |
After the March event, Polymarket said the funds were safe. In December, it confirmed a security incident on its Discord channel and blamed an unidentified third-party login provider. The throughline across all three is dependence on outside vendors, whether a login provider or a frontend script supplier, as the weak point.
What happens next over the coming 24 to 72 hours
Expect the loss figure to keep moving. Intelligence firms like AMLBot, PeckShield, and Specter Analyst are actively tracing wallet flows, and on-chain estimates routinely get revised as more drained addresses are linked to the same attacker. The bridge from Polygon to Ethereum will be watched closely, since that is often where investigators try to follow or freeze funds.
Watch for Polymarket to publish a fuller post-incident breakdown, name or describe the compromised vendor, and lay out the refund mechanics for the 11 affected wallets. Until that arrives, treat refund details circulating elsewhere with caution.
The bigger overhang is regulatory. The hack lands on top of reports that Polymarket is already under federal investigation following a Wall Street Journal article into the platform deceptive social media promotion of users boasting winnings. A fresh security failure gives critics and regulators more to point at, and how cleanly Polymarket handles the refunds may shape how that scrutiny plays out.
For users, the immediate move is defensive: revoke stale wallet approvals, watch official Polymarket channels, and assume any unsolicited refund outreach is itself a phishing attempt until proven otherwise.
Source: CoinDesk
Frequently asked questions
How much was stolen in the Polymarket hack?+
Blockchain intelligence firm AMLBot updated the stolen amount to roughly $3.1 million in PUSD taken from 11 user wallet accounts. Earlier estimates from other firms put the figure near $2.94 million, so the total was revised upward as the investigation continued.
How did the Polymarket attack happen?+
Polymarket said a compromised third-party vendor injected a malicious script into its frontend for some users. That script powered a phishing campaign that drained PUSD from affected wallets. The funds were taken on Polygon and immediately bridged to Ethereum.
Will Polymarket users get their money back?+
Polymarket has pledged full refunds to victims holding its native PUSD token. The platform said it contained the incident, removed the affected dependency, and is contacting impacted users directly to refund them in full.
Founder & Lead Technician
Daniel founded Ask Technicians to cut through bad tech advice. He writes hands-on troubleshooting guides drawn from years of real-world repair and support work.
Related guides
Poland Busts SIM-Swap Gang That Drained Crypto Accounts
Polish police, with the FBI and HSI, arrested four people who hijacked phone numbers to break into crypto exchange accounts and steal millions.
CZ Blames Crypto's 2026 Slump on AI, Tension, Cycle
Binance founder CZ says no single cause explains crypto's roughly 50% slide over the past year, pointing to AI, geopolitics and the four-year cycle.
Coinbase, OKX Court Binance EU Users in MiCA Race
Coinbase and OKX are dangling sign-up bonuses of up to 8% at Binance EU users after Binance said it will suspend services without a MiCA license by July 1.
Robinhood Layoffs Signal Late Crypto Bear Market
Robinhood cut staff amid a crypto revenue crunch. Analysts say the layoffs reveal where we are in the cycle, not panic. Here is what it means for traders.