Polymarket has verified that hackers took $3 million from users following a breach of a third-party vendor.

      TL;DR Hackers siphoned around three million dollars from Polymarket users through a compromised third-party vendor that introduced malicious code into its frontend.

      Polymarket confirmed on Thursday that funds were stolen from users after a vendor was compromised, enabling the injection of harmful code into the prediction market's site. According to blockchain monitoring firm PeckShield, losses are estimated at about three million dollars in cryptocurrency, impacting over 11 individuals.

      The company stated on X that it has "contained" the issue and eliminated the affected dependency. Polymarket mentioned it is reaching out to victims and will "refund them in full," though it has not disclosed the number of affected users or identified the compromised vendor.

      Polymarket spokesperson Connor Brandi confirmed to TechCrunch that a breach resulted in fund theft but did not provide further details. The company did not answer specific questions regarding the incident.

      Data reviewed by blockchain analyst Specter revealed that funds were drained from victim wallets holding PUSD, Polymarket's stablecoin. The stolen assets were quickly bridged from Polygon to Ethereum and converted into about 1,893 ETH, a common method attackers use to cover their tracks and liquidate funds rapidly.

      This attack was a compromise of the supply chain, rather than a direct violation of Polymarket’s infrastructure. The code of a third-party vendor was altered, and the malicious script was delivered to certain users through Polymarket’s frontend. Users interacting with the compromised interface had their funds stolen without any exploitation of the platform’s main smart contracts.

      This incident is not the first time Polymarket's security has been challenged this year. In May, blockchain researcher ZachXBT flagged another occurrence in which about $520,000 was drained from two smart contracts on the Polygon network. Polymarket stated that the losses were due to a compromised six-year-old private key linked to an internal operations wallet, rather than a platform exploit.

      The hack marks what has been Polymarket's most challenging week. On Sunday, a Wall Street Journal investigation uncovered that the company paid online creators to produce misleading videos featuring fabricated bets and fake winnings. The Journal analyzed over 1,100 videos and concluded that none of the bets, which showcased nearly two million dollars in value, were placed on the live platform, prompting Polymarket to announce plans to audit its promotional content.

      These scandals emerge amidst increasing regulatory and legal scrutiny. A Google engineer was charged last month with insider trading after using internal search data to gain over one million dollars on Polymarket. Additionally, Spain blocked the platform in May due to missing gambling licenses, joining France, Belgium, Poland, Italy, and India in restricting access.

      Polymarket has also faced structural concerns regarding its governance. A $345 million dispute over a contract related to an Iran peace deal earlier this month revealed that merely nine anonymous cryptocurrency wallets hold over half of the voting power used to resolve contested outcomes on the platform.

      Founded by Shayne Coplan, Polymarket became the leading prediction market during the 2024 US presidential election and has seen rapid growth since. The combined monthly trading volume for Polymarket and its competitor Kalshi quadrupled from under five billion dollars to 24 billion dollars between September 2025 and April 2026. The question now is whether this growth trend can withstand a combination of security breaches, marketing fraud, and regulatory challenges.