Polymarket’s latest security incident has grown larger after blockchain intelligence firm AMLBot updated the estimated losses to about $3.1 million.
Summary
- Polymarket’s frontend phishing attack now shows $3.1 million in losses across 11 user wallets.
- The platform says a compromised third-party vendor injected malicious code into parts of its frontend.
- The refund pledge comes as lawmakers press regulators over alleged deceptive prediction market advertising practices.
The prediction market platform had earlier promised to refund affected users after saying a third-party vendor compromise allowed malicious code to reach some users through its frontend.
Hack losses rise to $3.1M
AMLBot said hackers stole about $3.1 million in PUSD from 11 user wallets. The firm said the funds were taken from Polygon and quickly bridged to Ethereum.
The update raises the loss figure from earlier estimates near $2.94 million. Specter Analyst had first flagged the attack as a phishing campaign that drained funds from at least 11 wallets holding PUSD.
Polymarket said in a June 25 post that it found a third-party vendor had been compromised. The company said the vendor issue allowed attackers to inject a malicious script into the platform’s frontend for some users.
“We’ve contained it & removed the affected dependency.” It also said it was contacting affected users and “refunding them in full,” the platform said.
Frontend attack targeted user wallets
The attack appears to have targeted users through the website interface rather than the core protocol. That type of attack can trick users into approving harmful wallet activity while they believe they are using the normal platform.
PeckShield said the attacker bridged stolen funds from Polygon to Ethereum and swapped them into about 1,893 ETH. Specter also said the funds were consolidated into an Ethereum address after the phishing activity.
A frontend attack can be difficult for users to detect in real time. The site may look normal, but the code loaded in the browser can create unsafe wallet prompts.
The incident also puts focus on third-party dependencies. Even if a platform’s smart contracts remain unchanged, outside code used in a website can create risk for users who connect wallets.
Earlier incidents add pressure
The latest incident follows other Polymarket security issues. In March, blockchain investigator ZachXBT flagged a suspected breach after more than $520,000 was reportedly drained from two Polygon smart contracts.
Polymarket later said funds were safe in that case. In December, the platform also confirmed an incident on its Discord channel after users reported missing funds and suspicious login attempts.
A previous report said the latest attack was recorded by DefiLlama as the 89th crypto security breach of the second quarter. The same report said that count made the quarter the highest on record by number of reported incidents.
The growing incident count shows why platforms now face closer checks across smart contracts, wallets, login systems, frontend code and outside vendors.
Regulatory scrutiny widens
The hack also arrives as Polymarket faces new regulatory attention. A recent report said U.S. Senators Adam Schiff and John Curtis urged the CFTC to review allegations tied to deceptive advertising practices.
The senators asked whether Polymarket promoted markets through simulated trading websites, staged transactions and undisclosed paid influencer campaigns. They also questioned whether the CFTC has enough tools to oversee prediction markets and protect users.
Polymarket and Kalshi are also part of a wider legal fight over sports event contracts. Kentucky has accused prediction market firms of offering unlicensed sports betting, while the CFTC has argued that federally regulated event contracts fall under its authority.
As previously reported, the cases may help decide whether sports-linked prediction markets answer mainly to federal derivatives rules or state gambling laws.
