A Polymarket user connects a wallet, places a prediction, and walks away. When they return, the PUSD is gone. Not because the blockchain broke — because the website they loaded was quietly poisoned. On June 25, 2026, Polymarket disclosed that a third-party vendor’s code had been tampered with, injecting a malicious script into its frontend. Blockchain monitoring firm PeckShield estimated losses at around $3 million. On-chain investigator SpecterAnalyst traced at least 11 victim wallets, putting the damage at $2.94 million in drained PUSD. Polymarket says everyone gets refunded.
How $3 Million Disappeared Without Touching the Blockchain
The platform’s smart contracts held fine — the website sitting in front of them didn’t.
- A compromised third-party vendor slipped malicious code into Polymarket’s website frontend, not its underlying smart contracts
- SpecterAnalyst tracked the stolen PUSD across chains: drained from Polygon, bridged to Ethereum, swapped into approximately 1,893 ETH, and consolidated into a single wallet address
- Fewer than 15 accounts were affected, according to Bubblemaps analysis — a contained breach with an outsized dollar figure
- Polymarket has removed the affected dependency and says the incident is contained
- The company has not named the compromised vendor or published a technical post-mortem
Here’s the distinction that matters. A frontend attack poisons the website code your browser loads. In Web3, that poisoned code can silently prompt your wallet to approve malicious transactions while everything on-chain looks completely normal underneath. Think of it like a card skimmer on an ATM: the bank vault stays locked, but your PIN is already gone. Polymarket’s contracts held. The interface sitting in front of them didn’t.
“The attacker has drained funds from 11+ victim wallets holding PUSD, swapped the stolen assetsfor ETH, and consolidated the proceeds.” — SpecterAnalyst, on-chain investigator
Polymarket’s head of experience William LeGate was direct on X: “We are refunding affected users in whole, there are no user ‘losses’.” The company says it has contacted impacted accounts and is executing full refunds. Whether that rebuilds confidence is a separate question — especially given that Polymarket has yet to name the vendor, explain how the dependency was introduced, or commit to a public post-mortem.
A Platform With a Growing List of Security Questions
Two security incidents in weeks, plus an influencer scandal — each explainable alone, but the pattern tells its own story.
This marks the second Polymarket security incident in rapid succession. Weeks earlier, a dormant operational wallet lost between $600,000 and $700,000 after an old private key leaked. User funds weren’t touched, but key management questions surfaced immediately. Before that, the Wall Street Journal reported the company paid influencers to produce deceptive promotional videos using near-perfect copies of its site to fake massive wins. Polymarket pledged to audit promotional content after that story dropped. Each incident has an explanation. Together, they form a pattern worth watching more carefully than any prediction market on the platform.
If the refunds land cleanly, most affected users walk away whole. But Polymarket still owes its broader user base something money alone can’t cover: a clear account of how a vendor’s compromised code reached production, and what is changing to prevent the next breach. Promises are a start. Post-mortems are proof.
