Prediction-market platform Polymarket said hackers stole roughly $3 million from users after a third-party vendor was compromised and malicious code was injected into its website. The incident has since been fully contained, and refunds are being initiated for affected users in full.
A Supply-Chain Attack, Not a Direct BreachPolymarket disclosed that a compromise at one of its outside providers allowed attackers to slip malicious code into its frontend for some users. The tampered script powered a phishing campaign that tricked victims into approving fraudulent transactions, which then drained funds from their connected wallets.
“We have contained the incident,” Polymarket said, adding that it removed the affected dependency and is “refunding them in full.” The company stressed that its own core infrastructure and onchain markets were not breached, with the weak link being a third-party supplier whose code was served through Polymarket’s website.
In sum, funds locked in Polymarket’s onchain markets were never directly at risk, but users who approved the spoofed transactions saw their wallets emptied.
What Happens NextPolymarket said it is contacting victims individually as it processes refunds rapidly, absorbing the cost of a breach that originated outside its own walls (a move likely aimed at preserving trust among its fast-growing user base).



















