Polymarket Hack Funnels $3M Into a Single Ethereum Wallet

Crypto News

Prediction market Polymarket lost roughly $3 million in user funds on Thursday after attackers compromised a third-party vendor and injected malicious code into the platform’s front end. Our reading of the incident points to a supply-side breach rather than a flaw in Polymarket’s own contracts: the tampered website silently rerouted approvals, letting hackers drain wallets before users noticed. A prominent on-chain analyst first flagged the theft, estimating up to $2.94 million siphoned from a cluster of accounts. The episode underscores how front-end dependencies — the off-chain plumbing that serves a decentralized app — remain a soft target even when the underlying smart contracts hold. Polymarket says the vector is now closed.

Polymarket confirmed the breach in an official statement and pledged to reimburse every affected customer in full. The company said the malicious front-end code has been contained and removed, and that the compromised vendor — which it declined to name publicly — was the entry point. As of the latest disclosure, no figure has been released for how much of the stolen sum can be recovered versus repaid from corporate funds. The refund commitment distinguishes this event from a typical self-custody loss: by accepting liability for a third-party failure, Polymarket is absorbing a cost most non-custodial venues would push entirely onto the end user.

The breach marks Polymarket’s second security incident in two months, and it fits a recurring pattern of social-engineering attacks rather than protocol exploits. Over the past year, attackers have repeatedly tricked users into surrendering credentials on cloned sites, then emptied wallets within minutes. Earlier this month a single trader lost more than $2 million after entering a one-time password on a fake Polymarket clone, which let an attacker hijack the victim’s email-linked login wallet and withdraw funds instantly. Engineering staff stressed at the time that the loss occurred on a fraudulent domain, not through any defect in Polymarket’s production infrastructure — a distinction this week’s vendor breach complicates.

On-chain data clarifies how the money moved. The attackers drained wallets holding pUSD — Polymarket’s dollar-pegged stablecoin, collateralized by USDC and used to settle every trade on the platform — then swapped the proceeds into ETH. The converted funds were consolidated into a single Ethereum address where, at the time of writing, they remain parked. Blockchain investigators concluded the damage was largely contained, with fewer than 15 accounts affected, though that count could rise as more transactions are traced. Centralizing stolen value in one on-chain wallet keeps the trail visible to forensic firms but complicates any freeze.

Speculation over a possible POLY airdrop is amplifying the phishing threat against the platform’s users. On June 25, observers noted that Polymarket had quietly revised its FAQ, deleting earlier language stating it had no token and removing references to having no plans for a free distribution. A company marketing executive had already signaled token ambitions in an October 2025 interview, describing a goal of a utility-bearing asset with long-term sustainability. That expectation has pushed traders to adjust strategies in hope of qualifying, which in turn gives scammers fresh cover: fake eligibility checkers and counterfeit claim pages are an easy lure when an altcoin distribution looks imminent.

This is not the first time Polymarket-linked infrastructure has been hit. In May, the platform’s UMA CTF Adapter on Polygon was compromised, and investigators attributed that breach to a stolen deployer key rather than a contract bug. Taken together, the deployer-key incident, the cloned-site OTP theft, and this week’s vendor compromise show three different entry points exploited with the same outcome: funds pulled before detection. The common thread is operational and human-layer security — key management, vendor vetting, and user authentication — rather than the integrity of the on-chain markets themselves, which have not been the point of failure in any of the three documented cases.

Our reading is that the Polymarket cluster exposes the industry’s most under-priced risk: the off-chain attack surface around otherwise sound contracts. According to COINOTAG’s aggregate market data, sentiment is already fragile — the Fear & Greed Index sits at 13 out of 100, deep in Extreme Fear, while Bitcoin dominance has climbed to 70.2% and total crypto market capitalization holds near $1.7 trillion, signaling capital rotating toward perceived safety. Repeated front-end and vendor breaches erode exactly the trust that prediction markets and stablecoin rails depend on. The on-chain consolidation of stolen pUSD-turned-ETH into one traceable address gives investigators a lead, but recovery remains unconfirmed.