Polymarket Says Supply-Chain Hack Stole $3 Million, Starts Full Refunds

Polymarket said a hack at a third-party service provider compromised its website and led to the theft of about $3 million in user assets. The decentralized prediction-market platform has started reimbursing all affected users.

Decrypt reported on June 25 that the attack began when one of Polymarket’s third-party service providers was breached. The attacker used that access to inject malicious code into Polymarket’s website front end and steal assets from some users’ wallets.

On-chain analytics firm Bubblemaps estimated that fewer than 15 accounts were affected and that about $3 million was stolen.

Polymarket said it has removed the malicious code and fixed the website security issue. The company added that it is issuing full refunds to all affected users.

The attacker stole pUSD, the dollar-pegged stablecoin used for trading on Polymarket, from user wallets, then swapped it for Ether and moved the funds into a single wallet. pUSD is a Polymarket-specific stablecoin issued with Circle’s dollar-backed stablecoin USDC as collateral.

The incident was an attack on an external service supply chain rather than Polymarket’s core protocol. The breach underscores the importance of supply-chain security because the attacker bypassed the core system and stole user assets through a partner vendor.

Last month, Polymarket was also hit by an attack on a wallet used for employee compensation payments in what was believed to be a private-key leak, causing about $700,000 in losses. At the time, the company’s internal infrastructure and user assets were not directly affected. Still, two security incidents in consecutive months are raising concerns about its security controls.