Polymarket updates hack loss to $3.1M, pledges full refunds to affected users

Polymarket, the decentralized prediction market that became a household name during the 2024 US election cycle, confirmed that a security breach on June 25 drained approximately $3.1 million in user funds. The platform has committed to making every affected user whole through full refunds.

The attack targeted Polymarket’s frontend through a compromised third-party vendor, meaning the platform’s core smart contracts were never actually breached. Between 11 and 15 wallets were impacted, with the stolen funds consisting primarily of pUSD, Polymarket’s USDC-backed stablecoin.

A supply-chain problem, not a protocol problem

Polymarket moved quickly to remove the affected dependency from its system and began contacting impacted users. On-chain analysts from PeckShield, SpecterAnalyst, and GoPlus Security tracked the stolen pUSD as it was swapped for ETH and consolidated into fewer wallets.

The company has emphasized that its underlying protocols remain secure.

Second breach in a month

This isn’t Polymarket’s first security incident this year. On May 22, a separate breach drained between $520,000 and $700,000 from an internal wallet on the Polygon network. That earlier attack was attributed to a suspected private key compromise, and Polymarket said at the time that user funds were not affected.

Two incidents in roughly five weeks paints a pattern that’s hard to ignore. The May breach hit internal funds. The June breach hit user funds. Different attack vectors, different targets, but the same platform finding itself on the wrong end of security failures at an uncomfortable frequency.

What this means for prediction market users and crypto investors

Supply-chain attacks are notoriously difficult to prevent because they exploit trust relationships with external vendors rather than flaws in a platform’s own code. Smart contract audits have become table stakes in the industry, with projects routinely commissioning multiple audit firms before launch. But frontend dependencies often receive far less scrutiny, despite being the layer that users actually interact with.

Regulatory implications also loom. Polymarket has already navigated complex regulatory waters, including a previous settlement with the CFTC. Repeated security breaches that result in user fund losses tend to attract the kind of regulatory attention that no crypto platform wants, particularly when the platform operates in a space that regulators are already watching closely.