Polymarket hack: $3M stolen via third-party code injection

Key Takeaways

• Hackers injected malicious code via a compromised third-party vendor, stealing approximately $3 million in cryptocurrency from at least 11 Polymarket users
• Polymarket confirmed the breach and pledged full refunds to affected victims, though details remain sparse
• The incident follows revelations that Polymarket paid creators to post fake winning-bet videos, compounding the platform's credibility problems

Polymarket, the crypto prediction market that became a media darling during the 2024 US election, confirmed Thursday that hackers stole funds from users after compromising a third-party vendor. Blockchain monitoring firm PeckShield estimates the damage at around $3 million, taken from at least 11 victims.

The attack worked through code injection. According to Polymarket's statement on X, attackers compromised an unnamed third-party vendor and used that access to inject malicious code into the platform's website "for some users." The company says it has contained the breach and is contacting affected users.

Polymarket spokesperson Connor Brandi confirmed to TechCrunch that funds were stolen but declined to answer specific questions about how many users were affected, which vendor was breached, or how the attackers gained initial access.

How did the Polymarket attack unfold?

The timeline is still emerging. Two users on social media reported losing funds in the days before Polymarket's official announcement. Around the same time the company posted its statement, PeckShield flagged an active phishing campaign targeting Polymarket users, though it's unclear if this was part of the same attack or opportunistic follow-on activity.

Blockchain analyst SpecterAnalyst corroborated the $3 million figure and identified at least 11 victims whose wallets were drained.

Supply chain attacks, where hackers compromise a vendor to reach a larger target, have become a persistent threat in crypto. The December 2023 Ledger Connect Kit hack used the same playbook: attackers injected malicious code through a compromised library, draining wallets across multiple decentralized apps.

Will Polymarket actually refund victims?

The company says yes. "We have contained the incident and are now contacting the affected victims and refunding them in full," Polymarket stated. For a platform that raised $70 million (with backing from Peter Thiel's Founders Fund), absorbing $3 million in refunds is financially manageable. Whether the company follows through, and how quickly, will matter for its credibility.

That credibility is already under strain. On Sunday, an investigation revealed Polymarket had paid online creators to post deceptive videos showing lucrative wins that were actually fake. The company said it would audit its promotional content, but the timing couldn't be worse. A platform built on transparent, verifiable outcomes now faces questions about both its marketing practices and its security.

Polymarket's regulatory history adds context

Polymarket isn't new to controversy. In 2022, the company paid $1.4 million to settle with the CFTC over operating an unregistered derivatives platform. US users are technically blocked from the service, though enforcement has been inconsistent. The platform operates on the Polygon blockchain and lets users bet cryptocurrency on real-world events, from presidential elections to sports outcomes.

During the 2024 election cycle, Polymarket became the go-to source for prediction market odds, frequently cited by major news outlets. That mainstream visibility makes this breach more consequential. It's not just crypto insiders paying attention.

What should users do now?

If you've used Polymarket, check your connected wallet for unauthorized transactions. Revoke any permissions you granted to the platform until the company provides clearer details about which third-party vendor was compromised and how. Be extremely cautious of any communications claiming to be from Polymarket, as phishing attempts typically spike after a publicized breach.

The incident is a reminder that "not your keys, not your crypto" only goes so far. Even users who control their own wallets can lose funds if they interact with a compromised dApp. The attack surface in DeFi includes every vendor in the supply chain.

Frequently Asked Questions

How much money was stolen in the Polymarket hack?

Blockchain monitoring firm PeckShield estimates approximately $3 million in cryptocurrency was stolen from at least 11 victims.

Will Polymarket refund users who lost funds?

Yes. Polymarket stated it is contacting affected victims and refunding them in full, though the company hasn't specified a timeline.

How did hackers breach Polymarket?

Attackers compromised an unnamed third-party vendor and used that access to inject malicious code into Polymarket's website for some users.

Is Polymarket safe to use now?

Polymarket says the incident has been contained, but users should verify wallet permissions and watch for phishing attempts until more details emerge about the compromised vendor.

Source: TechCrunch / Lorenzo Franceschi-Bicchierai