$2.94M Gone: Polymarket Phishing Attack Marks Second Breach in a Month

A phishing attack on Polymarket’s frontend has exposed one of the most persistent vulnerabilities in decentralized finance: the supply chain. When attackers don’t need to break a protocol’s smart contracts to drain millions, they just need to compromise a third party vendor quietly sitting in the background of a popular platform’s code.

Key takeaways

• A compromised third party vendor injected malicious code into Polymarket’s frontend, enabling a phishing attack that stole approximately $2.94 million from at least 11 user wallets.
• Polymarket removed the malicious dependency, contained the breach, and committed to fully refunding all affected users.
• Blockchain analyst Specter confirmed the stolen PUSD was swapped for ETH and consolidated into a single address.
• DefiLlama recorded the incident as the 89th crypto security breach in Q2 2026, the highest quarterly incident count in its records.
• June 2026 saw $74.9 million in losses across 29 exploits, according to DefiLlama.

Polymarket Frontend Phishing Attack Details

The Polymarket phishing attack didn’t exploit a flaw in the platform’s smart contracts or core infrastructure. Instead, attackers went through the side door — a third party vendor whose compromised access gave them a way to inject a malicious script directly into Polymarket’s frontend interface.

That distinction matters. Users interacting with what looked like the normal Polymarket interface were unknowingly exposed to code designed to steal funds from their connected wallets. The attack vector was silent, invisible, and effective.

Malicious Code Injection via Third Party Vendor

Polymarket disclosed the incident on X, confirming that a third party vendor had been compromised and used to push a malicious script into the platform’s frontend for some users. The platform described the sequence plainly: discover, contain, remove, refund.

“This morning we discovered a 3rd party vendor had been compromised, injecting a malicious script into our frontend for some users. We’ve contained it & removed the affected dependency. We’re contacting impacted users & refunding them in full,” Polymarket Traders posted on June 25, 2026.

Blockchain analyst Specter classified the incident as a phishing campaign rather than a direct protocol exploit. The injected script waited for users to interact with the compromised interface and then activated to siphon funds from connected wallets.

Attack Impact and Wallets Affected

Specter estimated losses at approximately $2.94 million drained from at least 11 victim wallets. The stolen assets, held in PUSD, were swapped for ETH and funneled into a single consolidated address — a pattern consistent with rapid laundering attempts following a DeFi theft.

The scale of the loss underscores how effective frontend-level attacks can be. Even with relatively few wallets compromised, the dollar impact reached nearly three million dollars, reflecting the size of positions some users held on the prediction market platform.

Platform Response and User Restitution

Polymarket moved quickly once the breach was identified. The malicious dependency was removed, the incident was contained, and the platform committed to making every affected user whole.

Incident Containment and Removal of Malicious Dependency

The response followed a clear and transparent sequence: isolate the compromised component, strip it from the platform, and communicate publicly. Polymarket confirmed it was actively contacting impacted users directly, rather than waiting for users to identify themselves.

That approach — proactive outreach combined with a full refund commitment — reflects how DeFi platforms increasingly understand that user trust, once fractured, is far harder to rebuild than the dollar amount lost.

Commitment to Full Refunds for Affected Users

The promise of full reimbursement for all affected users is significant. While the exact timing and distribution mechanism for those refunds were not specified, the public commitment puts Polymarket’s reputation directly on the line. For a prediction markets platform that depends on user participation and liquidity, that accountability is both financial and strategic.

Contextualizing the Breach within Cryptocurrency Security

The Polymarket incident didn’t happen in isolation. It landed inside a quarter that has already set unwelcome records for crypto security failures.

DefiLlama Reports Record Crypto Security Breaches in Q2 2026

DefiLlama recorded the Polymarket breach as the 89th crypto security incident of Q2 2026 — making it the highest quarterly incident count the analytics platform has ever tracked. That figure alone signals a systemic problem. More attacks, more frequently, across a wider range of platforms and vectors.

Private key compromises accounted for 43% of exploit losses in the past 30 days, per DefiLlama. Fake proof exploits represented 10% of losses, and reverse MEV honeypots accounted for 8%. The Polymarket attack, rooted in a frontend supply chain compromise rather than a private key or protocol flaw, illustrates that attackers are diversifying their methods as defenses around traditional vectors improve.

June 2026 Exploits and Losses Overview

DefiLlama reported $74.9 million in losses from 29 crypto exploits across June 2026 alone. That figure exceeded May’s $60.5 million but remained far below April’s $644 million — a month that included some of the largest individual DeFi thefts of the year.

June’s biggest single incident was a $36 million exploit targeting Humanity Protocol. Other notable attacks included a $4.7 million exploit on the Secret Network bridge, two separate $2.1 million exploits affecting Aztec, and a $1.7 million bridge exploit on Taiko. Against that backdrop, Polymarket’s $2.94 million loss sits in the middle tier of June’s incidents by dollar value — but its method and context make it particularly instructive.

Previous Security Incident on Polymarket

The June frontend attack was not Polymarket’s first security headline this quarter. About a month earlier, the platform disclosed a separate breach involving a much older vulnerability.

Compromised Six-Year-Old Private Key Resulting in $600,000 Loss

Attackers exploited a six-year-old private key tied to an internal top-up operations wallet, making off with approximately $600,000. Security researchers ZachXBT, PeckShield, and Bubblemaps initially flagged suspicious activity involving Polymarket’s UMA CTF Adapter contract on Polygon. Bubblemaps noted that attackers withdrew 5,000 POL every 30 seconds before total losses were estimated at around $600,000.

Clarification on Incident Root Cause and Platform Safety

Polymarket protocol contributor Shantikiran Chanal later clarified that the earlier incident stemmed from a compromised wallet used exclusively for internal operations, not from any flaw in the platform’s contracts or core infrastructure. Vice president of engineering Josh Stevens confirmed that user funds and smart contracts had remained secure throughout, and that all permissions linked to the compromised key had been revoked.

Two separate incidents, a month apart, using entirely different attack vectors — one a forgotten private key, one a compromised supply chain vendor — paint a challenging picture for a platform navigating rapid growth alongside legacy security debt. The frontend phishing attack, in particular, highlights a category of risk that many DeFi platforms share but few have fully hardened against: the implicit trust placed in third party code running on their interfaces.

FAQ

How did the Polymarket phishing attack occur?

Attackers compromised a third party vendor and injected malicious code into Polymarket’s frontend interface. When users interacted with the compromised interface, the script activated and stole funds directly from their connected wallets.

What amount was stolen in the Polymarket phishing attack and how many users were affected?

Approximately $2.94 million was stolen from at least 11 user wallets. The stolen PUSD was swapped for ETH and consolidated into a single wallet address identified by blockchain analyst Specter.

How did Polymarket respond to the phishing attack?

Polymarket removed the malicious dependency, contained the incident, and committed to fully refunding all affected users. The platform also stated it was directly contacting impacted users.

What is the broader context of this attack within crypto security trends?

The attack was logged as the 89th crypto security breach of Q2 2026 by DefiLlama, making it the highest quarterly incident count on record. June 2026 alone saw $74.9 million in losses across 29 exploits, with private key compromises accounting for 43% of recent exploit losses.

Article produced with the assistance of artificial intelligence and reviewed by the editorial team.