Polymarket Hit by $3.1M Hack, Promises Full Refunds

Polymarket, the prediction market platform that gained prominence during the 2024 U.S. election, has confirmed a security breach on June 25 that resulted in the theft of approximately $3.1 million in user funds. The company has pledged to provide full refunds to all affected users.

The attack exploited a vulnerability in a third-party vendor, compromising the platform's frontend. This method, known as a supply-chain attack, did not breach Polymarket's core smart contracts. Between 11 and 15 user wallets were impacted, with the stolen assets primarily being pUSD, Polymarket's USDC-backed stablecoin.

On-chain analysts tracked the stolen funds as they were converted to Ethereum (ETH) and consolidated.

This marks the platform's second significant security incident in roughly five weeks. A separate breach in May drained between $520,000 and $700,000 from an internal wallet, which was attributed to a suspected private key compromise. Polymarket stated user funds were not affected in that earlier incident.

The repeated breaches raise concerns about operational security. Supply-chain attacks target trust relationships with external vendors, a vulnerability that often receives less scrutiny than smart contract audits. The incidents also draw regulatory attention, a sensitive issue for a platform that has previously settled with the U.S. Commodity Futures Trading Commission (CFTC).