Polymarket says it will reimburse users after a front-end phishing attack drained an estimated $2.94 million.
What happened
Polymarket disclosed on X that attackers compromised a third‑party vendor and used that access to inject a malicious script into the platform’s frontend for some users. The injected code enabled a phishing flow that stole funds from connected wallets after users interacted with the compromised interface. Polymarket says it has removed the affected dependency, contained the incident, is contacting impacted users, and will fully reimburse those who lost funds.
Technical details and impact
Blockchain analyst Specter estimated the attack hit at least 11 victim wallets. The attackers reportedly stole PUSD, swapped the stolen assets to ETH and consolidated proceeds into a single address. Specter and other observers characterized this as a phishing campaign (supply‑chain/frontend compromise) rather than a protocol exploit of Polymarket’s contracts.
Wider context: Q2 security environment
DeFiLlama logged this event as the 89th reported crypto security breach in Q2 — the highest quarterly incident count on record for the platform. For June alone, DeFiLlama recorded $74.9 million in losses across 29 crypto exploits, higher than May’s $60.5 million but far below April’s spike of $644 million. June’s largest incidents included a $36 million exploit at Humanity Protocol, a $4.7 million Secret Network bridge exploit, two separate $2.1 million incidents affecting Aztec, and a $1.7 million bridge exploit on Taiko.
Attack vectors trending
DeFiLlama’s breakdown of recent exploit causes shows private key compromises remain a major risk, accounting for 43% of exploit losses over the past 30 days. Fake‑proof exploits made up 10% and reverse‑MEV honeypots about 8%, underscoring a mix of social‑engineering, key‑management and on‑chain deception threats.
Polymarket’s prior incident
Polymarket also disclosed a separate security incident roughly a month earlier: attackers exploited a six‑year‑old private key used for internal top‑up operations and stole about $600,000. Researchers — including ZachXBT, PeckShield and Bubblemaps — flagged suspicious activity around Polymarket’s UMA CTF Adapter on Polygon, with Bubblemaps reporting repeated POL withdrawals. Polymarket later said the issue stemmed from a compromised internal wallet rather than a vulnerability in its smart contracts, and said user funds and contracts remained secure after revoking the compromised key’s permissions.
Bottom line
Polymarket’s prompt containment and promise of full refunds will be welcome to affected users, but the episode highlights ongoing dangers from third‑party dependencies and key compromises — and the importance of vigilance for users interacting with connected wallets.
Read more AI-generated news on: undefined/news
