Polymarket : An External Breach Costs the Platform 3 Million Dollars
A compromised third-party provider allowed hackers to inject malicious code on Polymarket’s interface, stealing about 3 million dollars from more than 11 users. The predictive markets platform controlled the incident and announced full reimbursement for the victims. In a sector under increasing scrutiny, the flaw raises questions about the security of front-end layers.
In brief
- Hackers stole about 3 million dollars from more than 11 Polymarket users via a compromised third-party provider.
- The malicious code targeted the web interface and not the smart contracts, prompting victims to approve fraudulent transactions.
- Polymarket ensures full reimbursement for victims and has removed the third-party dependency causing the breach.
How did hackers bypass Polymarket’s defenses?
The blockchain security firm Peckshield estimated the damage at 3 million dollars, spread over at least 11 victims. However, Polymarket did not suffer a direct breach. The attackers targeted a third-party provider whose code was delivered via the platform’s web interface, injecting a fraudulent script that prompted users to validate fake transactions.
This type of attack, called a “supply chain compromise,” is particularly feared in the crypto industry. Instead of targeting a platform’s directly secured systems, hackers go up to its software dependencies.
Visitors loading the compromised page saw apparently legitimate signature requests, which actually gave attackers control over their wallets.
According to Polymarket itself, the platform removed the affected dependency and now has full control over the incident. On-chain markets never exposed locked funds; only users who approved fraudulent transactions saw their wallets drained.
A sector under regulatory and security pressure
The incident occurs as prediction markets face a period of increased scrutiny. Polymarket and its competitor Kalshi recorded a record April 2026, and Polymarket claims over 100 million transactions to date. This visibility attracts regulators as much as attackers.
On the regulatory side, the CFTC recently took legal action against Kentucky, which is trying to apply its own rules to prediction markets by equating them with sports betting, a jurisdictional battle between federal authority and local legislators illustrating ongoing regulatory tensions around platforms like Polymarket and Kalshi.
The platform had also deployed Chainalysis monitoring tools to strengthen the integrity of its markets. This June hack adds operational security to an already long list of concerns.
This hack demonstrates a reality well-known to DeFi protocols and exchanges: the robustness of smart contracts does not protect against flaws that settle upstream, in the visible layer. Polymarket handles the crisis with quick reimbursements, but trust in the security of web interfaces remains the sector’s weak link.
Maximize your Cointribune experience with our "Read to Earn" program! For every article you read, earn points and access exclusive rewards. Sign up now and start earning benefits.
Passionné par le Bitcoin, j'aime explorer les méandres de la blockchain et des cryptos et je partage mes découvertes avec la communauté. Mon rêve est de vivre dans un monde où la vie privée et la liberté financière sont garanties pour tous, et je crois fermement que Bitcoin est l'outil qui peut rendre cela possible.
The views, thoughts, and opinions expressed in this article belong solely to the author, and should not be taken as investment advice. Do your own research before taking any investment decisions.