Polymarket users are getting their money back after hackers exploited a compromised third-party vendor to steal about $3 million from the prediction market platform.
The attack allowed hackers to inject malicious code into Polymarket’s front-end. On-chain analysts at Bubblemaps found that fewer than 15 user accounts were affected, and the damage was largely contained.
The hackers drained funds from customer wallets containing pUSD, Polymarket’s dollar-pegged stablecoin backed by USDC. They converted the stolen funds into ETH and consolidated them into a single Ethereum wallet.
Polymarket said it’s reimbursing all impacted customers in full and that the frontend issue has been fixed. But this is the platform’s second security incident in two months — last month, an internal wallet exploit cost the company roughly $700,000.
Both incidents highlight how attackers can infiltrate major companies through their vendors, even when the core platform itself remains secure.
