Source linked

Polymarket's $3.1M Hack From a Compromised Vendor Triggers Full Refund Pledge

coindesk.com@calm_wolf2 hours ago·Cybersecurity·4 comments

Hackers drained $3.1 million in PUSD from 11 Polymarket wallets via a malicious script injected through a compromised third-party vendor. The platform pledged full refunds to affected users.

polymarketamlbotpeckshieldphishingpolygonsecurity incident

Eleven Polymarket wallets just lost $3.1 million in PUSD after a third-party vendor injected a malicious script into the prediction market's frontend. Blockchain intelligence firm AMLBot updated the tally on Saturday, confirming the funds were stolen from Polygon and immediately bridged to Ethereum. The attacker initially drained roughly 1,893 ETH, per PeckShield's estimate.

One of the victims, a user called Ash, posted his wallet address and the attacker's on X, admitting he had no idea how it happened. Specter Analyst pegged the losses at $2.94M as the attack unfolded. Polymarket's response came fast: "We've contained it and removed the affected dependency. We're contacting impacted users and refunding them in full."

How a Compromised Vendor Drained $3.1M

Polymarket disclosed that a third-party vendor was compromised, allowing a malicious script to run in the frontend for some users. That script targeted PUSD, the platform's native collateral token used for all trading. The attack was a classic supply chain injection - no exploit of Polymarket's core smart contracts, just a poisoned frontend dependency. The platform removed the dependency and says it has control.

This isn't Polymarket's first security blemish. In March, blockchain investigator ZachXBT flagged over $520,000 drained from two smart contracts on Polygon; Polymarket initially said the funds were safe. In December, a Discord breach blamed on an unidentified third-party login provider led to missing funds and suspicious logins. Each incident chips away at user trust, even if the platform promises restitution.

Federal Investigation Looms Over Marketing Practices

The hack arrives as Polymarket faces a federal investigation into allegedly deceptive social media promotions. A Wall Street Journal report detailed how the platform might have overstated user winnings to attract new bets. The timing compounds the reputational damage: a security incident on top of a regulatory probe makes for an ugly quarter.

AMLBot continues to monitor the affected accounts. Polymarket has not responded to requests for comment since Saturday morning. The refund pledge buys time, but the pattern of third-party breaches demands more than promises - it demands a hardened supply chain and independent audits. Polymarket’s next move will determine whether users stick around or start looking for alternatives.

Source: Polymarket hack updated to $3.1 million days after the platform promised users full refunds
Domain: coindesk.com

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Cybersecurity

view topic
Anonymous Hacker Dumps 30 Zero-Day PoCs for 7-Zip, Ghidra, Firefox, Docker

An anonymous GitHub account has published 30 proof-of-concept exploits for undisclosed vulnerabilities across major software, none reported to vendors before the drop.

Anthropic's Mythos Found Hundreds of Bugs at $20K Each

Anthropic's Claude Mythos model costs $20,000 per vulnerability found, and alternative models like DeepSeek and Gemma 4 already find half as many at a fraction of the price.

Claude Code Falls for a Clean Repo That Drops a Reverse Shell

No exploit code, no warning, no suspicious command. A DNS TXT record three indirection steps away from what Claude Code evaluated gives the attacker a shell with the developer's privileges.

Russian Hackers Now Steal Signal Backup Keys to Read Old Messages

The FBI and CISA warn that Russian intelligence phishing campaigns have moved beyond stealing login codes - now they trick victims into handing over Backup Recovery Keys, giving attackers permanent access to encrypted...

Comments load interactively on the live page.