Polymarket customers lose $3 million in supply-chain attack
Polymarket customers lost $3 million after hackers injected malicious JavaScript via a third-party vendor.
Summary
Polymarket, a major cryptocurrency prediction market, has reported that customers lost an estimated $3 million due to a supply-chain attack. Hackers compromised a third-party vendor, injecting malicious JavaScript into Polymarket's frontend, which tricked users into approving fraudulent transactions. The company plans to fully reimburse affected customers, and its own backend systems remained secure.
Full text
Polymarket customers lose $3 million in supply-chain attack By Bill Toulas June 26, 2026 02:04 PM 0 Polymarket says it will fully reimburse customers who lost an estimated $3 million after hackers injected a malicious script into the platform's frontend following a breach at a third-party vendor. The company states in a brief announcement that the hack was the result of a supply-chain attack that impacted a dependency on its website. Polymarket is one of the world's largest cryptocurrency-based prediction markets that allows users to trade contracts with prices that reflect the market's collective estimate of an event's outcome. It offers predictions for sports, economic indicators, weather patterns, awards, political and legislative outcomes, and even military conflicts. Founded in 2020, the platform is currently valued at $9 billion, handles billions of dollars in trading volume, and serves as an influential source of information on market expectations. During the attack, unsuspecting users were tricked into approving fraudulent transactions on the official Polymarket website after malicious JavaScript was injected through a frontend vendor. Polymarket’s own servers and backend infrastructure were not impacted by the incident. The company did not share many details about the event, but independent blockchain intelligence firms estimate the losses at roughly $3 million, stolen from a small number of accounts. According to blockchain security firm PeckShield, the incident was a phishing campaign that stole approximately $3 million worth of ParyonUSD from users. The stolen funds were later swapped for 1,893 Ether. "The attacker bridged the stolen funds from #Polygon to #Ethereum and swapped them into ~1,893 $ETH," PeckShield says. Transaction trackingSource: PeckShield Based on visual analytics company Bubblemaps, the incident has impacted less than 15 accounts. The company published a list of some of the affected accounts as well as the wallets holding the stolen funds. BleepingComputer has contacted Polymarket to request more details about the incident, but we have not received a response by publication time. Test every layer before attackers do Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection. Get the whitepaper Related Articles: LastPass confirms data breach in Klue supply chain attackShapedPlugin update flow hacked to infect WordPress sitesOptinMonster WordPress plugin hacked in CDN supply-chain attackGitHub announces npm security changes to tackle supply-chain attacksGitHub disables Microsoft repos pushing password-stealing malware
Indicators of Compromise
- malware — malicious JavaScript