Polymarket Sees $2.9M Theft, Refund Plan Approved for Users

Attackers exploited a third-party vendor compromise to inject malicious code into Polymarket’s frontend, triggering a phishing flow that ultimately drained funds from at least 11 user wallets, according to blockchain analyst Specter. Specter estimated the stolen amount at $2.94 million, citing activity linked to the compromised user interface.

Polymarket said it has contained the incident, removed the affected dependency, and will fully refund affected users. The case adds to a broader security trend flagged by DefiLlama, which reports that the quarter is now the most-hacked on record by incident count.

Key takeaways

• Specter attributed the Polymarket incident to a third-party vendor compromise that allowed malicious script injection into the platform’s frontend.
• The phishing mechanism reportedly led to an estimated $2.94 million drained from at least 11 Polymarket user wallets.
• Polymarket says containment is complete, the compromised dependency has been removed, and users will be fully refunded.
• DefiLlama data shows crypto security breaches in the second quarter hit a record pace, while June totals climbed to $74.9 million across 29 reported incidents.
• Across the last 30 days, DefiLlama reports private key compromises as the largest share of losses (43%), with “fake proof” exploits (10%) and reverse MEV honeypots (8%) following.

How the Polymarket frontend compromise unfolded

According to Specter, the attackers leveraged a third-party vendor breach to slip malicious scripting into Polymarket’s website experience. Specter said the injected code appeared designed to support a phishing attack—meaning users could be induced to sign or approve actions that transferred funds instead of completing the intended transaction.

Specter’s analysis estimated the theft at roughly $2.94 million, impacting at least 11 Polymarket user wallets. The figure is based on observed drain activity associated with the phishing pattern described by Specter.

Polymarket responded publicly on X, stating that it identified and contained the compromise, removed the affected dependency, and confirmed that affected users would be fully refunded. Cointelegraph sought further comment from Polymarket but did not receive a response before publication.

June exploit losses climb—still below April’s peak

While the Polymarket case is a notable incident, it sits within a wider wave of exploit activity. DefiLlama data cited in the report shows crypto exploit losses in June reached $74.9 million across 29 reported incidents, a rise from May’s $60.5 million total.

Even with the month-over-month increase, June’s total remained far below April’s $644 million figure, underscoring how uneven the exploit landscape has been across the year. The same DefiLlama dataset also marks the second quarter as the most-hacked period on record by incident count, extending the high frequency of breaches reported so far.

Largest June incidents highlight recurring bridge and exploit risk

DefiLlama’s breakdown points to several major June events that drove losses higher. The largest reported incident in June was a $36 million Humanity Protocol exploit. Other large items included a $4.7 million Secret Network bridge exploit and two separate Aztec exploits valued at $2.1 million each.

The list also includes a $1.7 million bridge exploit on Taiko. Together, these events reinforce a familiar theme in crypto security reporting: cross-chain bridge systems and complex protocol integrations continue to concentrate losses when vulnerabilities are discovered or supply-chain components are compromised.

Attack vectors shift: private key compromises lead, phishing cases remain a concern

DefiLlama’s methodology breaks down the last 30 days of reported exploit losses by technique. Private key compromises accounted for 43% of losses, making them the most common category in the period. “Fake proof” exploits represented 10%, while reverse MEV honeypots made up 8% by the same breakdown.

The Polymarket incident is described differently from those categories in the underlying reporting: Specter framed it as a frontend injection leading to phishing, which in practice can overlap with user-level security failures rather than only on-chain vulnerabilities. Regardless of the taxonomy, the operational takeaway is similar—attackers increasingly combine supply-chain weaknesses with user-targeted deception to move funds.

The threat also has a local history on Polymarket. About a month earlier, the prediction market disclosed a separate $600,000 exploit tied to a six-year-old private key used for internal top-up operations. Josh Stevens, Polymarket’s vice president of engineering, said then that contracts and user funds were safe and that permissions tied to the key had been revoked, reflecting a response approach aimed at limiting exposure after discovery.

What to watch next for Polymarket users

With Polymarket stating it has removed the compromised dependency and will refund impacted users, the next signals to monitor are whether any residual scams continue via cached pages, third-party scripts, or follow-on attempts against user approvals. More broadly, investors and users should track whether the second-quarter record pace continues and whether DefiLlama’s technique breakdown shows phishing-style incidents rising alongside private key compromises.

This article was originally published as Polymarket Sees $2.9M Theft, Refund Plan Approved for Users on Crypto Breaking News – your trusted source for crypto news, Bitcoin news, and blockchain updates.