Polymarket Users Hit by $3 Million Phishing Attack: How a Compromised Third-Party Script Drained Wallets

A major security breach has hit Polymarket, the world’s leading decentralized prediction platform, leading to the theft of approximately $3 million from user wallets. On June 25, 2026, hackers executed a sophisticated “supply-chain” attack by compromising a third-party vendor and injecting malicious code directly into the website’s interface. While Polymarket’s core smart contracts remained secure and the platform has promised to fully refund the victims, the incident highlights a growing and dangerous security trend in the cryptocurrency market where hackers target the visual interfaces users trust, rather than the underlying blockchain code.

By Aisha Okonkwo | June 28, 2026

The Exploit Mechanics

To understand what happened to Polymarket, think of a physical grocery store. The store’s bank vault is completely secure, and the building itself is locked up tight. However, the store uses a third-party payment system to process credit cards at the cash registers. If a hacker tampers with the card readers, they can trick customers into swiping their cards and sending money directly to the hacker’s bank account. The store’s vault is still untouched, but the customers’ money is gone because the checkout terminal was compromised. This is a supply-chain attack, which is when hackers target a smaller partner or vendor that provides software services to a larger company.

On June 25, 2026, attackers executed this exact type of attack against the Polymarket website. They compromised a third-party software vendor that the platform uses to build its website interface, also known as the frontend. Once inside, the hackers injected a malicious script—a hidden block of computer code—directly into the webpage. When regular users visited the site to check odds or place bets, the malicious script loaded in their web browsers. It then displayed fraudulent popups, tricking users into signing a transaction. In the crypto world, signing a transaction is the digital equivalent of signing a bank check; once you approve it with your signature, the funds leave your account. In this case, users unknowingly authorized the transfer of their own funds directly to the hacker.

According to reports from blockchain security firm PeckShield, the attackers focused on draining pUSD, which is the platform’s custom stablecoin pegged to the U.S. dollar. The hackers then moved the stolen assets from the Polygon network to the Ethereum network. Once the funds were safely on Ethereum, the hackers swapped the stablecoins for roughly 1,893 ETH. Based on current market rates, with Ethereum trading at $1,574, this amount of cryptocurrency is worth approximately $3 million. Meanwhile, the broader crypto market remained relatively stable, with Bitcoin trading at $60,100 and Solana at $71 during the incident.

Affected Systems

For retail investors concerned about the safety of decentralized applications, it is important to separate the website from the blockchain itself. Polymarket confirmed that its core smart contracts—the automated agreements written in code that handle bets and payouts on the blockchain—were not breached. Furthermore, the platform’s backend infrastructure remained completely secure. This means the underlying blockchain math and logic worked exactly as intended. The failure occurred entirely on the website interface that connects users to the blockchain.

The scope of the hack was relatively small in terms of affected users, but significant in terms of individual dollar impact. Security analysts tracked the breach and confirmed that only 11 to 15 user wallets were actively drained during the attack window. Because the hackers targeted users who were actively interacting with the website and signing transactions on June 25, 2026, only those specific accounts were vulnerable. The primary asset stolen was pUSD, which users hold in their wallets to participate in prediction markets. This incident marks the second major security event for Polymarket in recent weeks, following a separate incident in May 2026 where a private key compromise allowed hackers to steal funds. In cryptocurrency, a private key acts like the master password to a digital vault; losing it gives the attacker full control over the assets inside.

The Mitigation Strategy

When the security breach was first detected, the technical team at Polymarket moved quickly to contain the damage. They isolated the malicious code, identified the compromised third-party package, and removed it from the website’s frontend. Within a short period, the platform announced that the vulnerability had been fully resolved and that the site was safe for users to visit once again. By removing the compromised dependency, they cut off the hackers’ ability to display the fake transaction prompts to new visitors.

For the retail investors who lost funds, the platform provided a major piece of good news. Polymarket publicly committed to fully refunding all affected users who had their wallets drained during the phishing attack. This pledge is a significant relief for the 11 to 15 user wallets impacted, ensuring they will not bear the financial burden of this third-party compromise. Meanwhile, blockchain security firms, including PeckShield, have continued to track the hacker’s movements on the blockchain. They have flagged the Ethereum address holding the 1,893 ETH, alerting major exchanges and public block explorers. This public tagging makes it extremely difficult for the attackers to move or sell the stolen digital assets without triggering compliance alarms.

Lessons Learned

This incident offers several critical lessons for both blockchain developers and everyday crypto investors. First, it proves that smart contract audits are no longer enough to guarantee safety. A cryptocurrency project can spend hundreds of thousands of dollars making sure its blockchain code is flawless, but if its website frontend is vulnerable, users can still lose their money. Hackers are increasingly choosing the path of least resistance, targeting the standard web servers and third-party software libraries that connect users to the blockchain.

In the tech industry, developers often use pre-written software blocks from outside vendors to add features like charts or web analytics to their sites. This incident shows that if even one of these external vendors is compromised, the entire platform becomes unsafe. Furthermore, this hack reflects a larger trend in the second quarter of 2026. Security data shows that while traditional blockchain exploits are becoming harder to execute, “human factor” attacks—including phishing, social engineering, and frontend hijacks—are on the rise. In fact, these types of interface compromises now represent a major portion of all realized losses in the cryptocurrency space. The industry must start treating website security with the same level of rigor as blockchain security.

User Action Required

If you own cryptocurrency or use decentralized platforms, there are several concrete steps you should take right now to secure your wallet against frontend phishing attacks:

• Verify transaction details — Before clicking “confirm” or “approve” in your browser wallet, look closely at the transaction details. Pay attention to what permissions you are granting. If a website asks you to approve access to your tokens when you only meant to view a page or place a small bet, reject the request immediately.
• Use transaction simulators — Use modern digital wallets that offer built-in transaction previews or simulation tools. These simulators show you exactly what assets will leave your wallet and what will enter before you sign. If the simulation shows your tokens being sent to an unknown address, close the browser.
• Establish a hot wallet system — Never connect a wallet containing your main savings to any decentralized application. Instead, set up a “hot wallet” with only the small amount of funds you need for active trading or betting. Keep your primary assets in an offline “cold wallet” that never connects to the internet.
• Revoke old approvals — Regularly review and revoke token approvals you have granted in the past. Use services like Revoke.cash to clean up permissions. If you do not revoke them, a future exploit on an old platform could still access your wallet.
• Monitor Polymarket support — If you were active on the platform on or around June 25, 2026, check your wallet transaction history on a block explorer. If you see unauthorized transfers of pUSD, contact official support channels immediately to join the refund queue.

The cryptocurrency market remains highly volatile. This article is for informational purposes only and does not constitute financial advice.