Polymarket Hack Swells to $3.1M After Refund Pledge

What to Know

• Polymarket says a compromised third-party vendor injected a malicious script into its frontend, affecting some users.
• Blockchain intelligence firm AMLBot said hackers stole about $3.1 million in PUSD from 11 user wallets.
• The stolen assets were moved from Polygon to Ethereum, according to blockchain tracking reports.
• Polymarket said it removed the affected dependency and pledged full refunds to impacted PUSD holders.
• Security firms PeckShield and Specter Analyst described the event as a phishing attack targeting Polymarket users.
• The incident comes after earlier security breaches at Polymarket and reports of a federal investigation into its marketing practices.

What happened at Polymarket

Polymarket is dealing with another major security incident after hackers reportedly drained roughly $3.1 million in PUSD from 11 user wallets. The loss was tracked by blockchain intelligence firm AMLBot, which said the stolen funds were taken from Polygon and quickly bridged to Ethereum, making the trail more difficult to unwind.

The attack appears to have been enabled by a compromised third-party vendor that injected a malicious script into Polymarket’s frontend. Polymarket said it identified the issue, contained it, and removed the affected dependency after discovering that some users had been exposed to the malicious code.

Refund promise and user response

Polymarket moved quickly to reassure users, saying it would refund affected PUSD holders in full. The platform said it was contacting impacted wallets directly and working through the fallout from the breach.

That promise matters because PUSD is the platform’s native collateral and settlement token used for trading on its decentralized prediction market. For users, any interruption to collateral integrity can be more than an inconvenience, as it affects both open positions and confidence in the platform’s operational controls.

One victim, identified as Ash on X, said his wallet had been hacked and that he initially did not understand why. He also shared wallet addresses connected to the theft, adding another public example of how quickly these incidents can become visible onchain before a company has fully answered questions.

How the theft moved onchain

According to AMLBot, the stolen assets were first taken from user wallets on Polygon before being bridged to Ethereum. That sort of cross-chain movement is common in crypto crime because it can complicate tracking and potentially widen the path for laundering or dispersion across addresses and services.

PeckShield also said on Thursday that it observed a phishing campaign aimed at Polymarket users, while Specter Analyst estimated losses at about $2.94 million before AMLBot updated the figure to roughly $3.1 million. These overlapping assessments suggest the attack unfolded quickly and that the size of the loss became clearer as analysts traced the affected wallets.

Pressure builds after earlier incidents

The latest breach lands during an especially sensitive period for Polymarket. The company has already faced earlier security issues, including a March incident highlighted by blockchain investigator ZachXBT, who said more than $520,000 was reportedly drained from two smart contracts on Polygon. Polymarket said at the time that the funds were safe.

In December, Polymarket also confirmed a security incident on its Discord channel after users reported missing funds and suspicious login attempts. The company blamed an unidentified third-party login provider for those account breaches. Taken together, the events point to recurring operational risk around vendors, access layers, and user-facing infrastructure.

Regulatory scrutiny adds to the damage

The hack comes as Polymarket is also facing reported federal scrutiny over its marketing practices. News reports have said the platform is under investigation in connection with allegedly deceptive social media promotions, particularly posts in which users appeared to boast about winnings.

That combination of security failures and regulatory pressure is especially damaging for a prediction market platform that depends on trust, liquidity, and a reputation for fair access. Even if the exploit is isolated to a frontend compromise rather than a core protocol flaw, public perception can still shift quickly once users see wallets drained and official explanations lag behind the theft.

Why the incident matters for crypto markets

For the broader crypto market, the Polymarket episode is another reminder that third-party dependencies remain one of the weakest points in digital asset infrastructure. Smart contracts may be auditable, but a compromised frontend, login provider, or vendor script can still funnel users into approving malicious transactions or revealing sensitive permissions.

It also underscores the difference between technical decentralization and practical user safety. A platform can settle markets onchain while still relying on centralized services, external vendors, and web interfaces that create attack surfaces beyond the protocol itself.

For FXCOINZ readers, the key takeaway is that the damage is not limited to the stolen funds. Incidents like this can trigger refund obligations, customer churn, legal exposure, and a deeper review of whether platforms are doing enough to secure the entire user journey from login to settlement.

What users should watch next

Users watching the situation will likely look for three things: whether Polymarket identifies the vendor compromise in more detail, whether refunds are processed quickly and transparently, and whether investigators connect the attack to any broader campaign against prediction market users.

They will also be watching whether regulators treat the security incident separately from the marketing allegations or view the two as part of a larger trust problem. In crypto, perception often moves as fast as code, and platforms under multiple forms of scrutiny rarely get much time to restore confidence.

Frequently Asked Questions (FAQs)

What did hackers steal from Polymarket?

Hackers reportedly stole about $3.1 million in Polymarket’s PUSD token from 11 user wallets, according to blockchain intelligence firm AMLBot.

How did the attack happen?

Polymarket said a compromised third-party vendor injected a malicious script into its frontend, which appears to have exposed some users to a phishing attack.

Did Polymarket promise refunds?

Yes. Polymarket said it would refund affected PUSD holders in full and that it removed the affected dependency after discovering the issue.

Was the stolen crypto moved to another chain?

Yes. AMLBot said the assets were stolen from Polygon and immediately bridged to Ethereum.

How many wallets were affected?

AMLBot said 11 user wallets were affected by the theft.

Has Polymarket had security incidents before?

Yes. The platform has previously dealt with suspected breaches, including a March incident involving reportedly drained smart contracts and a December account security event linked to a third-party login provider.

Is Polymarket also facing regulatory issues?

News reports say Polymarket is under federal investigation over alleged deceptive social media promotions, adding to the pressure from the security breach.

What should users do after a phishing incident like this?

Users should review wallet approvals, avoid signing unknown prompts, check for suspicious frontend activity, and monitor official platform announcements for refund instructions and security updates.

Why does this matter beyond Polymarket?

The incident highlights how third-party services can become a major security weak point across crypto platforms, even when core onchain systems remain intact.

Photo by Erik Mclean on Pexels