Polymarket Refunds Users After June 25 Frontend Hack Drains $3.1 Million From Wallets

Polymarket said a compromised third-party vendor injected a “malicious script” into its frontend for some users, draining about $3.1 million in user funds from up to 15 wallets after a security breach on June 25.

“Polymarket hack updated to $3”

@coindesk

The platform said the attack targeted Polymarket’s frontend through a compromised third-party vendor, and that its core smart contracts were never actually breached.

@coindesk

On-chain analysts tracked stolen pUSD as it was swapped for ETH and consolidated into fewer wallets, with PeckShield, SpecterAnalyst, and GoPlus Security cited for tracking activity.

Benzinga reported Polymarket contained the breach after discovering the vendor compromise on Thursday morning and said it was “refunding them in full,” while SecurityWeek said Polymarket promised to fully refund users affected by the attack.

In a separate incident earlier this year, Polymarket said a May 22 breach drained between $520,000 and $700,000 from an internal wallet on the Polygon network, with user funds not affected.

Bubblemaps said the attacker drained nearly $3 million from under 15 wallets, and SecurityWeek reported PeckShield estimated roughly $3 million worth of pUSD was stolen via a phishing campaign.

CoinDesk later described the hack as being updated to $3.1 million days after Polymarket promised full refunds, citing AMLBot’s update that the theft was from 11 user wallets and that the assets were stolen from Polygon and bridged to Ethereum.

BanklessTimes

Polymarket Traders, using an official Polymarket Traders badge, told users on X that “We’ve contained it & removed the affected dependency,” and said it was “contacting impacted users & refunding them in full.”

CoinDesk also quoted Polymarket’s post: “We've contained it and removed the affected dependency. We're contacting impacted users and refunding them in full.”

Specter Analyst was also cited by CoinDesk, saying “It appears there may be a phishing attack targeting Polymarket users, with estimated losses of $2.94M so far.”

Beyond the June frontend incident, CoinDesk reported Polymarket is under investigation in connection with false or deceptive marketing practices, following a Wall Street Journal article about deceptive social media promotions.

“Polymarket said it successfully contained a security breach after discovering a third-party vendor had been compromised on Thursday morning”

Benzinga

CoinDesk also tied the hack to broader regulatory scrutiny, noting that the news followed reports that the prediction platform is under federal investigation and that U.S. regulators weigh how to police insider trading on event contracts.

In a separate thread of market conduct, CoinDesk reported that Kalshi suspended and charged two users for insider trading, including a visual-effects designer for Beast Games by MrBeast, and said Kalshi fined him more than $20,000.

The same CoinDesk reporting described how the CFTC issued a notice warning that insider trading on event contracts could violate U.S. law, and quoted Chairman Mike Selig calling exchanges the first line of defense.

Meanwhile, the Crypto Briefing framed the repeated user-fund losses as a regulatory implication, stating that “Repeated security breaches that result in user fund losses tend to attract the kind of regulatory attention that no crypto platform wants.”