Polymarket, the largest blockchain prediction market by volume, lost roughly $3.1 million of user money to a hack that began on June 25, 2026, and the loss figure was revised upward only days after the platform had publicly promised affected users full refunds. The attackers did not break the smart contracts that settle Polymarket bets. They got in through the website itself, after a third-party vendor that supplies code to the front end was compromised and a malicious script was slipped into the page users see in their browser. Eleven user wallets were drained, the stolen balances were swapped out of Polymarket's dollar-pegged token and bridged into roughly 1,893 ETH, and the funds were parked in attacker-controlled addresses.
The timing is what stings. This is the second security failure in roughly five weeks, and the refund pledge landed almost on top of the news that the damage was bigger than first reported. Here is what actually happened, why the back-to-back timing matters, and what it tells you about custody risk on prediction markets and DeFi platforms generally.
What Happened in the Polymarket Hack
The attack was a supply-chain compromise, not a smart-contract exploit. Polymarket's on-chain contracts functioned exactly as designed. The weak point was the web layer that sits between a user and those contracts. A third-party vendor supplying front-end code to the site was breached, and the attacker used that access to inject a rogue script into the page. When affected users loaded the site, that script ran silently in their browser and prompted them to sign wallet transactions they did not intend to authorize. The signatures looked routine, so the usual red flags never appeared.
The target was pUSD, Polymarket's dollar-pegged stablecoin, which is backed by USDC. Once the attacker controlled the drained balances, they swapped the pUSD for Ethereum, bridged the proceeds from Polygon to the Ethereum mainnet, and consolidated everything into a single wallet. The initial public estimate was about $2.9 million across the affected accounts. Within days that number was revised to roughly $3.1 million as more of the affected wallets were accounted for, which is part of why the upward revision read so badly against a refund promise made when the figure still looked smaller.
If you want the plain-English version, think of it like this. The vault was never cracked. Someone tampered with the front door's keypad so that when you tapped in to do your normal business, you were quietly authorizing a withdrawal to a stranger. That is why a stablecoin sitting in your own wallet could still leave it. The contracts held. The interface lied.
Why the Timing After the Refund Promise Matters
Polymarket moved fast on messaging. After the breach was confirmed, the Polymarket team said it had removed the compromised dependency, fixed the vulnerability, and would fully reimburse affected pUSD holders. On its own, that is the right response. Acknowledge the loss, patch the hole, make users whole. The problem is the sequence. The refund pledge went out, and then the headline number climbed from $2.9 million to $3.1 million, which is exactly the kind of revision that makes a reassurance look premature rather than reassuring.
Trust on a trading platform is built on the gap between what a team promises and what reality confirms. When a company commits to covering losses and the losses then grow, users start asking the obvious follow-up. Is the $3.1 million figure final, or does it climb again next week. That uncertainty does more reputational damage than the dollar amount itself, because the dollar amount is recoverable and the doubt is not.
There is a second-order effect worth naming. Polymarket markets itself as the venue where you bet on real-world outcomes with real money, and the entire pitch rests on the idea that your funds are safe while you wait for an event to resolve. A drain that hits users directly, days after a confidence-restoring statement, undercuts that pitch at its core.
Polymarket's Recent Run of Security and Regulatory Problems
This was not an isolated event. On May 22, 2026, on-chain investigators flagged a separate incident, covered in CoinDesk's markets section, in which roughly $520,000 to $700,000 was drained from internal operations wallets used for prize payouts on Polygon. That attack traced back to a private key that had reportedly been left active for six years. User funds were not affected that time, and the team said balances were safe, but two breaches in under two months is a pattern, not a coincidence. The May incident hit employee-side infrastructure. The June incident hit users. Different attack surfaces, same uncomfortable conclusion about how many doors were left open.
The security problems also arrived during heightened regulatory attention. The Commodity Futures Trading Commission opened an investigation into Polymarket's marketing practices, centered on a promotional campaign that used paid social-media creators posting videos of simulated trades and exaggerated winnings, often without disclosing they were compensated. According to reporting reviewed in June 2026, a large share of more than 1,100 such videos showcased fake bets. Senators John Curtis and Adam Schiff sent a letter to the CFTC pressing for answers, with a requested response date of July 10, 2026.
Here is the timeline at a glance.
|
Date
|
Event
|
Who was affected
|
|
May 22, 2026
|
Internal payout wallets drained via a six-year-old private key
|
Internal operations, not users
|
|
June 20, 2026
|
Reporting surfaces on deceptive promotional videos
|
Reputational, regulatory
|
|
June 25, 2026
|
Frontend supply-chain hack drains user wallets
|
Users directly
|
|
June 26, 2026
|
Refund pledge issued for affected pUSD holders
|
Affected users
|
|
Days later
|
Loss figure revised up to $3.1 million
|
Affected users
|
|
July 10, 2026
|
Requested CFTC response date on the marketing probe
|
Platform, regulators
|
What Affected Users Can Expect
For the eleven wallets that were drained, the operative promise is full reimbursement in pUSD value. Polymarket has said it will make affected holders whole, and the platform has removed the compromised vendor dependency that allowed the script injection in the first place. If you held pUSD and did not interact with the malicious prompt during the window, your funds were not part of this drain. The attack required a signature, so wallets that never authorized the rogue transaction were not touched.
Recovery of the stolen funds themselves is a separate and slower question. As of the latest tracking, the consolidated 1,893 ETH had not moved from the attacker's Ethereum addresses, which means investigators and any exchange compliance teams have a clear on-chain trail to watch. You can follow the consolidated balance directly on a block explorer like Etherscan. Any chance of it being frozen or returned depends on where the attacker tries to move it next.
For everyone else, the practical takeaway is about behavior. Treat every signature request as a decision, not a formality. Read what your wallet is actually asking you to approve. The users who got drained were not careless in any obvious way. The interface they trusted was the thing that betrayed them, which is precisely why the lesson generalizes beyond this one platform.
The Custody and Security Lesson for Prediction Markets and DeFi
The uncomfortable truth of this hack is that the smart contracts were fine. Most of the security conversation in crypto fixates on contract audits and on-chain exploits, but a growing share of real losses now come from the layers around the contracts. The Polymarket drain is a textbook example, and it rhymes with the broader pattern documented across recent DeFi hacks and bridge exploits, where the failure point keeps shifting to the seams between systems.
A few principles hold up across almost every incident like this one.
- Front-end risk is real custody risk. A perfectly audited contract does nothing for you if the website serving the interface has been tampered with. The signature you approve is what moves money, not the contract's code.
- Third-party dependencies are attack surface. A vendor you have never heard of, supplying a script you never see, can become the entry point. Supply-chain compromises hit the weakest link in a long chain, not the part everyone is watching.
- Hot custody on any platform is convenience traded for exposure. Funds sitting in a wallet that interacts with a live web app are only as safe as that app's worst dependency on its worst day.
- Signature hygiene is the user's last line of defense. Verify the contract address, verify the token, verify the amount. A drainer's entire business model depends on you not reading the prompt.
- Refund promises are not the same as recovered funds. A reimbursement covers your loss. It does not undo the breach, and it does not guarantee the next disclosure won't revise the damage upward.
None of this is unique to prediction markets. It applies to any platform where you connect a wallet and sign transactions through a website. The medium of the bet does not change the mechanics of the theft.
Frequently Asked Questions
Is Polymarket safe?
Polymarket's smart contracts were not exploited in this incident, but the platform has now suffered two security failures in roughly five weeks, one hitting internal wallets and one hitting users directly. The team patched the compromised vendor dependency and pledged refunds, but the back-to-back pattern is a reason to size any balance you keep on it carefully and to scrutinize every signature request.
What happened to Polymarket?
On June 25, 2026, attackers compromised a third-party vendor that supplied front-end code and injected a malicious script into Polymarket's website, draining about $3.1 million in pUSD from eleven user wallets. The funds were swapped to roughly 1,893 ETH and bridged to Ethereum, where they sat in attacker-controlled addresses as investigators tracked them.
Will Polymarket refund users?
Polymarket has publicly committed to fully reimbursing the affected pUSD holders and says it removed the compromised dependency that enabled the attack. The reimbursement covers the eleven drained wallets, though recovery of the stolen on-chain funds themselves is a separate process, and it hinges on the attacker's consolidated ETH being frozen or returned before it scatters.
How did the Polymarket hack happen if the contracts were not exploited?
The attack targeted the website layer, not the blockchain layer. A breached vendor allowed a rogue script onto the front end, and that script prompted users to sign transactions that authorized the drain, which is why funds left wallets even though Polymarket's prediction market contracts behaved exactly as designed.
Bottom Line
The Polymarket drain is a front-end and supply-chain failure that cost users about $3.1 million, and the most damaging part was not the dollar amount but the sequence. A refund pledge followed by an upward revision to the loss figure, on the back of a separate May incident and an open CFTC probe, is the kind of compounding trust problem that lingers after the money is returned. Watch three things from here. Does the $3.1 million figure hold or climb again, does the consolidated ETH ever move, and does the platform's next disclosure add a third incident to the list. The broader lesson outlasts this one venue. On any platform where you sign with a wallet, your real exposure is the website and its dependencies rather than the contract alone, and the only defense you fully control is reading what you approve. When in doubt, keep less of your stack anywhere that talks to a live web app, and learn how self-custody works with assets like Bitcoin before you need to.
This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency trading involves substantial risk. Always conduct your own research before making trading decisions.
