Hackers stole about $3 million from Polymarket users after a third-party vendor compromise

Polymarket said a compromise at a third-party service let attackers inject malicious code into its frontend for some users, which led to stolen crypto assets. For PSPs and other high-risk operators, the part that matters is simple: the platform says it will refund affected users in full, even though the incident came through a vendor, not its core infrastructure.

1. Polymarket confirmed the incident on X on June 25, 2026, saying a third-party vendor had been compromised and that malicious script was injected into its frontend for some users. The company said it contained the attack, removed the affected dependency, and was contacting impacted users.
2. Connor Brandy, a Polymarket representative, told TechCrunch that users did lose funds in the attack, but the company did not disclose the exact number of affected users or other incident details. Polymarket also said all impacted users will be refunded in full.
3. Blockchain monitoring firm PeckShield said it was seeing a large phishing campaign aimed at Polymarket users and estimated the stolen cryptocurrency at about $3 million. Independent blockchain researcher ZachXBT said at least 11 users were affected.
4. Polymarket lets users make predictions on political, economic, sports, and other events using cryptocurrency, which means account compromise can translate directly into asset loss. In the last few days, users had already been posting on social media that funds had disappeared from their accounts.
5. This is the second major controversy around Polymarket this week. Earlier, a journalistic investigation found that the company had paid content creators who posted misleading videos about supposedly large wins on the platform; after that reporting, Polymarket said it would audit its marketing materials and review its policy for working with creators.

For high-risk operators, the useful takeaway is not the headline number. It is the incident pattern: a third-party dependency was enough to push malicious code into the user-facing flow, and the platform chose full reimbursement as the response. That is a reminder that vendor risk is payments risk, especially when the product holds user balances or exposes wallets directly in the interface.