Polymarket has confirmed that hackers stole cryptocurrency from some users after compromising a third-party service connected to its prediction market platform.
The company said the attackers used the vendor breach to inject malicious code into its website for a limited number of visitors. Polymarket has contained the incident and is contacting affected users, who will be reimbursed in full.
Researchers Estimate $3 Million Was Stolen
Polymarket has not disclosed how many accounts were affected, which vendor was compromised, or the total amount taken. Spokesperson Connor Brandi confirmed that users lost funds but declined to provide further details.
Blockchain security company PeckShield reported that approximately $3 million in cryptocurrency had been stolen during a phishing campaign targeting Polymarket users. A separate blockchain analyst identified more than 11 possible victims, although neither estimate has been independently confirmed by the company.
At least two users had publicly reported unexplained losses from their Polymarket accounts in the days before the company acknowledged the incident.
The available information suggests that the attackers interfered with the website experience presented to selected users rather than directly compromising Polymarket’s underlying blockchain. Malicious code on a legitimate website can mislead visitors into approving transactions or connecting their wallets to an attacker-controlled destination.
Polymarket said it has removed the injected code, secured the affected systems and begun issuing refunds. It has not provided a timeline for completing the reimbursements.
Third-Party Vendor Remains Unidentified
The incident is an example of a supply-chain attack, in which criminals compromise a service provider to reach the provider’s customers. Websites commonly depend on external tools for analytics, customer support, advertising and other functions, creating additional routes through which malicious code can be introduced.
Polymarket has not identified the vendor or explained how long the code remained active. It also has not said whether users need to revoke wallet permissions, change credentials or take other protective measures.
The breach adds to a difficult week for the company. A Wall Street Journal investigation found that Polymarket paid creators to publish videos showing fabricated trades and winnings on imitation versions of its platform.
The investigation examined more than 1,100 videos and found that the featured bets were not genuine. Polymarket responded by saying it would audit its promotional content and improve oversight of its marketing partners.
Featured image credits: Polites News
For more stories like it, click the +Follow button at the top of this page to follow us.