Polymarket, the decentralized prediction market platform, has announced plans to fully reimburse users affected by a security breach that exploited a third-party vendor's frontend script. The incident, which occurred on June 25, resulted in the theft of approximately $2.94 million to $3 million from fewer than 15 accounts. While the number of affected users is small, the average loss per account exceeds $200,000, highlighting the concentrated impact of the attack.
The hack has drawn attention to a shift in cybersecurity risks within the crypto ecosystem. Unlike previous exploits that targeted vulnerabilities in smart contracts, this breach compromised the frontend layer—the interface that users interact with directly. Analysts note that this development signals a growing threat landscape for platforms that rely on third-party vendors for user-facing features.
Polymarket identified the issue as a supply-chain attack, where malicious code was injected into the platform's frontend through a compromised third-party dependency. The company stated that it quickly contained the breach, removed the compromised dependency, and is now contacting affected users to issue refunds. Connor Brandi, a Polymarket spokesperson, confirmed the theft but declined to provide further details. On-chain analyst Specter estimated that the stolen funds, initially in PUSD (the platform's dollar-pegged token backed by USDC), were swapped for Ethereum and consolidated into a single wallet.
The financial impact of the hack is relatively small compared to Polymarket's valuation. The $2.94 million loss represents just 0.2% of the $1.48 billion in open interest across prediction markets reported by a16z Crypto for the week ending June 15. However, the incident has raised broader concerns about trust in market data and operational controls, particularly as the platform seeks to attract institutional investors.
Intercontinental Exchange (NYSE: ICE), the parent company of the New York Stock Exchange, announced in October its intention to invest up to $2 billion in Polymarket at an $8 billion valuation. ICE CEO Jeffrey Sprecher praised Polymarket's growing usage and distribution, while Polymarket CEO Shayne Coplan described the investment as a step toward bringing prediction markets into the financial mainstream. The exchange also plans to offer institutional investors access to Polymarket's event-driven data.
Polymarket's head of experience, William LeGate, emphasized that no users will ultimately bear losses. 'We are refunding affected users in whole, there are no user losses,' he told Gizmodo. However, the incident leaves lingering questions about vendor risk and the security of the connection between traders' wallets and the market infrastructure that ICE intends to leverage for institutional data services.
This is the second security issue Polymarket has faced in just over a month. In May, attackers stole more than $520,000 from two Polygon smart contracts after compromising a private key from an internal operations wallet. At that time, Polygon Labs CTO Mudit Gupta assured users that the contracts were safe. The latest breach, however, highlights vulnerabilities in the frontend—the point of interaction for consumers—which analysts describe as akin to a checkout counter for a retail company.
The hack also comes on the heels of a Wall Street Journal investigation that found Polymarket had paid creators to post deceptive videos showcasing fake trades and winnings. The platform has since promised to audit its promotional practices. Despite these challenges, Polymarket has not disclosed the name of the compromised vendor, the exact number of affected users, or the precise dollar amount lost.
