Polymarket Blames a Third-Party Service Provider for Account Hack
Polymarket has just confirmed that a security flaw affected certain user accounts. It indicates that a vulnerability related to a third-party authentication provider allowed unauthorized access and resulted in losses for several victims. The platform states it has fixed the problem and indicates there is no longer any persistent risk.
In brief
- Polymarket confirmed that a security flaw related to a third-party authentication provider allowed the hacking of certain accounts
- On X and Reddit, victims describe login attempts followed by emptied balances, and some suspect a link to Magic Labs without official confirmation
- Polymarket states it has fixed the vulnerability, says there is no longer persistent risk, and promises to contact affected accounts.
What Polymarket admits and what it keeps silent about
Polymarket confirmed on Discord that it identified and resolved a security incident. This incident reportedly affected a small number of users and was linked to a flaw at a third-party authentication provider. This situation comes as the platform seemed to regain momentum despite some market concerns.
The Polymarket platform does not provide the number of impacted accounts, the total amount of losses, or the name of the provider involved. This omission is not a detail. But in security, what is not said quickly becomes playground for speculation.
And then there is the phrase “no persistent risk.” It reassures, obviously. But it does not answer the simplest question. Indeed, how can an authentication flaw lead to funds being emptied so quickly? As long as the precise mechanism is not explained, doubt sets in and the “Polymarket security flaw” becomes an unfortunately alive keyword.
Magic Labs: the ideal suspect
On social networks, many point the finger at Magic Labs because testimonies seem to focus on accounts created via this type of “email-to-automatic-wallet” connection.
This suspicion did not come out of nowhere. Polymarket has long documented a registration via Magic Labs (email login without password) to simplify onboarding. Magic, on its side, clearly explains that its embedded wallets create non-custodial wallets at login through different authentication methods.
But beware! At this stage, Polymarket has not publicly confirmed which provider is involved. Moreover, it has not published any complete technical analysis. In short, Magic Labs is a name that “fits” the scenario, but the public investigation has not delivered its final word.
The most ironic thing is that Polymarket has already been caught up by this theme. In September 2024, users complained about fund drains after logging in via Google. This was followed by USDC transfers to phishing addresses, while wallet extension users seemed less exposed. And as if that was not enough, a phishing campaign was reported via comments in November 2025, with over $500,000 in reported losses.
Maximize your Cointribune experience with our "Read to Earn" program! For every article you read, earn points and access exclusive rewards. Sign up now and start earning benefits.
Enseignante et ingénieure IT, Lydie découvre le Bitcoin en 2022 et plonge dans l’univers des cryptomonnaies. Elle vulgarise des sujets complexes, décrypte les enjeux du Web3 et défend une vision d’un futur numérique ouvert, inclusif et décentralisé.
The views, thoughts, and opinions expressed in this article belong solely to the author, and should not be taken as investment advice. Do your own research before taking any investment decisions.