Polymarket Loses $2.94M Due to Vendor Compromise

The company announced it has contained the incident and committed to fully refunding all impacted users. However, the breach underscores growing vulnerabilities in decentralized finance platforms and their supply chain dependencies.

How the Attack Unfolded

A compromised third-party vendor provided attackers with access to inject malicious scripts into Polymarket’s user interface. This code allowed hackers to intercept user transactions and drain funds from connected wallets without directly breaching Polymarket’s core infrastructure itself.

Blockchain security researcher Specter first identified the attack, reporting that over 11 Polymarket wallets holding PUSD were drained. The stolen assets were then swapped for Ethereum (ETH) and consolidated, with attackers bridging approximately 1,893 ETH from Polygon to Ethereum.

Security firm GoPlus confirmed the findings, estimating losses at around $3 million across roughly 15 user accounts. PeckShieldAlert corroborated these figures independently.

What We Know About the Breach

Polymarket spokesperson Connor Brandi confirmed the incident on June 25, 2026, stating that the third-party vendor compromise led to unauthorized fund withdrawals. The affected dependency has been removed from the platform’s systems.

Specific technical details about how the malicious code bypassed security measures remain unclear. The company has not disclosed the exact nature of the third-party vendor relationship or the precise mechanisms of the code injection attack.

Supply Chain Attacks Emerge as Critical Risk

This incident highlights a growing vulnerability in the cryptocurrency ecosystemgrowing vulnerability in the cryptocurrency ecosystem: indirect compromises through third-party vendors can severely impact user funds without requiring direct breaches of core infrastructure.

Supply chain attacks have become increasingly sophisticated in DeFi. By targeting vendors rather than platforms directly, attackers gain access to systems that already have trusted relationships and fewer security scrutiny layers. Polymarket’s incident marks the type of indirect attack vector that security experts have warned about but that remains difficult to prevent entirely.

Polymarket’s Response and Refund Plan

Polymarket is actively contacting affected users to facilitate reimbursement. The company has publicly committed to covering all losses from the security lapse. Users who experienced unauthorized withdrawals should monitor their email and Polymarket account notifications for refund instructions.

Context: Broader DeFi Security Challenges

This breach follows recent controversy for Polymarket. An investigation revealed the platform had paid online creators to produce deceptive videos showing fabricated betting wins, prompting Polymarket to announce a review of its creator practices.

The security incident comes as the broader cryptocurrency market faces mounting challenges. Recent data shows this marks one of numerous reported security incidents affecting crypto platforms. Users are increasingly advised to monitor asset movements closely and use security-focused tools to track their cryptocurrency holdings across decentralized platforms.

For Polymarket users, the company’s swift containment and refund commitment offer some reassurance, but the incident reinforces the need for heightened vigilance when interacting with cryptocurrency platforms and their vendor ecosystems.