Polymarket hacked: 11 wallets looted for $3.1 million, second supply chain attack in six months.

Polymarket supply chain attack losses have risen to approximately $3.1 million, with 11 user wallets drained; although the platform promised full refunds days ago, it has not publicly responded as of Saturday morning.

(Previous report: New York Times reveals Meta is developing prediction market app "Arena"—Is Zuckerberg envious of Polymarket?) (Background: DeFi safety alert again! Token of Power hacked for $1.58 million, all funds funneled into Tornado Cash)

Decentralized prediction market Polymarket suffered a supply chain attack this week. According to blockchain intelligence firm AMLBot's update on X Saturday: a total of 11 user wallets were looted, with losses rising to approximately $3.1 million, denominated in the platform's native token PUSD, and immediately bridged to Ethereum mainnet via Polygon after the theft.

Polymarket Under Attack

Polymarket users were drained of ~$3.1M in PUSD on Polygon via phishing / malicious EIP-7702 delegated execution.

Funds were converted to USDC.e via Relay, bridged to Ethereum, swapped to ETH, and consolidated at… pic.twitter.com/bG3GYZZ1D9

— AMLBot (@AMLBotHQ) June 27, 2026

Supply Chain Attack: Malicious Script Injected via Frontend

The incident occurred on Thursday. Polymarket stated in an official X post that day: "Earlier this morning, we discovered that a third-party vendor was compromised, injecting malicious scripts into some users' frontend. We have contained and removed the affected dependencies, and are contacting affected users to provide full refunds." The platform emphasized that the Polygon smart contracts themselves were not affected; this was a supply chain attack targeting the frontend interface. The attacker infiltrated an external dependency package, not the contract logic.

Victim Ash described on X that their wallet was hacked without knowing the cause, only realizing later that funds had been transferred out. They publicly shared their wallet address as well as the attacker's, becoming one of the earliest public victim cases.

Platform Promises Refunds, but Security Issues Are Not New

Polymarket co-founder-related figure William LeGate publicly stated that full reimbursement would be made, emphasizing that users "won't lose anything." However, this is not the first time Polymarket has faced security risks.

On-chain investigator ZachXBT pointed out in March that two smart contracts on Polygon believed to be related to Polymarket saw over $520k transferred out. The platform responded at the time that funds were safe. Even earlier, in December of last year, after users successively reported fund losses and suspicious logins, the platform confirmed a security incident on Discord, blaming an unidentified third-party login provider—a similar modus operandi to this attack: a third party was compromised, and Polymarket's frontend became the attack vector.

Now, whether the refund promise will be fulfilled, whether the attacker's $3.1 million can be recovered, and whether Polymarket will disclose the full technical details of the third-party vendor vulnerability—these three questions will be the market's main focus.