Skip to content
Active Currencies: 17,385
Market Cap: $2.143T
Bitcoin Dominance: 55.74%
24h Market Cap Change: $0.02

Polymarket to reimburse users after third-party compromise triggers $3M phishing attack

The prediction market platform says it has contained a third-party frontend compromise and will fully reimburse users affected by the phishing attack.

Written by Written by Adewale Olarinde
Reviewed by Reviewed by Jibin Mathew George
Updated June 25, 2026
Polymarket to reimburse users after third-party compromise triggers $3M phishing attack

Prediction market platform Polymarket says it will fully reimburse affected users after a compromised third-party vendor injected malicious code into its frontend. This exposed some users to a phishing attack that blockchain security researchers estimate drained nearly $3 million.

In a statement published on June 25, Polymarket said it discovered the compromised vendor earlier in the day, removed the affected dependency, and contained the incident. The company added that it is contacting impacted users and will refund them in full.

The incident appears to have affected only users who interacted with the compromised frontend during the attack window rather than the platform’s underlying smart contracts.

Third-party compromise injected malicious script

According to Polymarket, the attack originated from a compromised third-party vendor that injected a malicious script into parts of the platform’s frontend.

The company said it has since removed the affected dependency and contained the incident. However, it has not disclosed the identity of the compromised vendor or released a detailed technical postmortem.

The platform emphasized that it is working directly with affected users while continuing its investigation.

Security firms estimate nearly $3M in losses

Blockchain security firm PeckShield reported that the incident appeared to be a phishing campaign targeting Polymarket users.

According to their findings, attackers drained approximately $3 million worth of PUSD from more than 11 victim wallets before bridging the stolen funds from Polygon to Ethereum.

The researchers said the attacker subsequently exchanged the proceeds for roughly 1,893 ETH, consolidating the assets into a monitored Ethereum address.

Polymarket has not publicly confirmed the estimated losses or the number of affected wallets.

Platform promises full reimbursement

Unlike many phishing incidents that leave users responsible for losses, Polymarket said it intends to reimburse everyone affected by the attack.

The company said it is contacting impacted users directly while continuing to investigate the compromise.

No timeline has been provided for either the reimbursement process or the publication of a full incident report.

Final Summary

  • Polymarket says a compromised third-party vendor injected malicious code into its frontend and has pledged to reimburse affected users.
  • Security researchers estimate the phishing campaign stole roughly $3 million before the funds were bridged to Ethereum and converted into ETH.

 

Disclaimer: AMBCrypto's content is meant to be informational in nature and should not be interpreted as investment advice. Trading, buying or selling cryptocurrencies should be considered a high-risk investment and every reader is advised to do their own research before making any decisions.

Adewale Olarinde

Journalist

Adewale Olarinde is a crypto journalist and data-driven storyteller with a Master’s degree in International Relations. He covers digital assets, markets, and policy with a focus on clarity and context. Outside of work, he’s a lifelong Manchester United supporter and a big music lover.

Related Articles

AMBCrypto
Facebook X Instagram Youtube Linkedin

AMBCrypto was founded in 2018 with a mission to simplify and bring the latest blockchain and cryptocurrency news to our readers. We have quickly grown into the digital news source for an emerging generation of cryptocurrency enthusiasts, reaching more than a million readers on a monthly basis, across the globe.