Hackers compromised a Polymarket third-party vendor, injecting malicious code to drain $3 million from user wallets before the breach was contained.
In a highly disruptive supply chain breach that underscores the persistent vulnerability of decentralized finance applications to web-based attack vectors, prediction market titan Polymarket has confirmed that cybercriminals successfully siphoned millions of dollars from its users. Disclosed late Thursday evening on June 25, 2026, the company revealed that hackers managed to compromise an unnamed third-party software vendor. By tampering with this external dependency, the attackers injected a malicious script directly into Polymarket’s public web interface, altering the front-end code served to unsuspecting visitors. The breach allowed the perpetrators to bypass the platform’s underlying security architecture, intercepting user interactions and draining connected wallets without needing to exploit Polymarket’s core smart contracts.
The immediate impact of the security compromise materialized directly within the wallets of active digital asset traders utilizing the platform worldwide. Blockchain monitoring firm PeckShield quickly tracked the live on-chain movement, confirming that the hackers successfully drained roughly $3 million worth of cryptocurrency from at least 11 high-value victims before the alarm was raised. Blockchain analysts at Specter noted that the attackers specifically targeted wallets holding PUSD, which functions as Polymarket’s primary stablecoin asset. Once the funds were siphoned, the hackers rapidly routed the stolen assets across a decentralized bridge from the Polygon network over to Ethereum, instantly converting the loot into approximately 1,893 ETH to obscure the digital paper trail and facilitate rapid liquidation.
The underlying vulnerability driving this multimillion-dollar theft stems from a structural blind spot in decentralized platform design known as a front-end supply chain compromise. While modern Web3 platforms spend millions of dollars auditing their backend smart contracts, their web interfaces still rely heavily on a complex web of traditional, third-party JavaScript libraries and content delivery networks. By compromising just one of these minor external pieces of code, the hackers were able to execute a malicious script inside the users’ own web browsers. When victims attempted to place routine wagers on the site, the hijacked interface quietly altered the transaction routing details, tricking users into signing away authorization to their digital tokens.
The high-profile cyber attack lands at a time of severe regulatory and public relations pressure for Polymarket, capping off what has been described as the company’s most challenging operational stretch of the year. Just days prior to the hack, a major media investigation exposed a separate marketing scandal, revealing that Polymarket had quietly paid online content creators to publish deceptive videos featuring fabricated bets and fake winnings worth nearly $2 million. This PR crisis coincides with a massive global regulatory crackdown, as Spain joined a growing list of nations, including France, Belgium, India, and Italy, that have officially blocked or restricted access to the platform over missing local gambling and predictive licenses. Despite the mounting turbulence, Polymarket spokesperson Connor Brandi confirmed to TechCrunch that the front-end exploit has since been fully contained, the malicious dependency removed, and that the platform is actively contacting all affected victims to provide full financial reimbursement.
About the Author
Jennifer Sakmufuwo Baba is a tech analyst and writer covering artificial intelligence, fintech, and emerging technologies at TechRegard. Based in Nigeria, she's passionate about translating complex tech developments into compelling, accessible stories for diverse audiences. Her work focuses on how technology shapes innovation across Africa and globally.
