Polymarket’s recent security crisis has deepened: blockchain intelligence firm AMLBot now estimates the attacker walked away with roughly $3.1 million in PUSD, up from earlier estimates near $2.94 million.
What happened
- AMLBot says about $3.1M in PUSD was stolen from 11 user wallets on Polygon. The funds were quickly converted and routed off-chain — AMLBot’s on-chain tracing shows the attacker converted to USDC.e (via Relay), bridged to Ethereum and then swapped into ETH.
- PeckShield and Specter Analyst corroborated that the campaign was a phishing-style frontend attack that ultimately consolidated the proceeds into an Ethereum address. PeckShield reported the swaps yielded roughly 1,893 ETH.
- The attack exploited a malicious script injected into Polymarket’s website UI that triggered harmful wallet approvals (reported as phishing / malicious EIP-7702 delegated execution). Because the exploit lived in the frontend code delivered to users’ browsers, the site could look normal while prompting dangerous wallet actions.
Polymarket’s response
- On June 25 Polymarket said a third‑party vendor had been compromised, enabling the injection of malicious code into the platform’s frontend for some users.
- The company said it “contained it & removed the affected dependency,” is contacting impacted users, and has pledged to refund affected accounts in full.
- The platform emphasized that the core protocol contracts were not altered and that the vector was the website interface and a third‑party dependency.
Why this matters
- Frontend attacks are especially insidious because they rely on user interaction with seemingly legitimate UI elements, tricking wallets into approving transactions that drain funds.
- The incident highlights the growing attack surface created by third‑party libraries and services — even when smart contracts themselves are secure, external code can expose users to risk.
- DefiLlama counted this hack among the 89 reported crypto security breaches in Q2 — the highest number of reported incidents on record for a single quarter — underscoring elevated adversary activity and recurring vulnerabilities across ecosystems.
Context and history
- This is not Polymarket’s first incident: in March a blockchain investigator flagged an issue after about $520k was reportedly drained from two Polygon contracts (Polymarket later said funds were safe). In December users also reported suspicious logins and missing funds via Discord.
- The security troubles come amid rising regulatory and legal scrutiny. U.S. Senators Adam Schiff and John Curtis have asked the CFTC to investigate allegations tied to Polymarket’s advertising and promotional practices (including claims around simulated trading sites, staged transactions, and undisclosed paid influencers), and whether the CFTC has sufficient oversight tools for prediction markets.
- Separately, Polymarket and rival Kalshi are embroiled in litigation over sports-linked contracts. Kentucky has accused prediction market platforms of offering unlicensed sports betting, while the CFTC maintains that federally regulated event contracts fall under its jurisdiction. Outcomes of these cases could shape whether sports-related prediction markets are governed primarily by federal derivatives rules or state gambling laws.
What to watch next
- Whether Polymarket follows through on full refunds and the speed of reimbursements to affected users.
- Any additional forensic details or on‑chain indicators released by AMLBot, PeckShield or other investigators that trace the attacker’s liquidity pathways.
- Regulatory moves stemming from the Senatorial inquiry and ongoing litigation that may change compliance requirements for prediction markets and frontend security standards.
Bottom line: The Polymarket incident is a reminder that smart‑contract security is only part of the story — frontend dependencies and user-facing code present a critical attack vector that platforms must harden as regulators and litigators pay closer attention.
Read more AI-generated news on: undefined/news
