Polymarket Got Hacked for $3.1 Million, and the Timing Could Not Have Been Worse

I want to be honest about how bad the timing of this looks for Polymarket. The platform has spent years building a reputation as the most credible prediction market in crypto, the go-to place for serious forecasters and bettors. This week, two damaging stories dropped almost simultaneously, and together they paint a picture the company is going to need time to recover from.

The first was a Wall Street Journal report that Polymarket is under federal investigation over allegations of deceptive social media promotion. The second arrived Thursday: a phishing attack that drained $3.1 million from user wallets.

What Actually Happened

A blockchain intelligence firm updated its assessment Saturday, confirming that hackers stole approximately $3.1 million in PUSD, Polymarket's native collateral and settlement token, from eleven user wallets. The stolen funds were originally on the Polygon network and were immediately bridged to Ethereum after the theft.

Blockchain security firm PeckShield flagged the attack on Thursday, identifying a phishing campaign targeting Polymarket users. At that point, estimates put losses at roughly $2.94 million. By Saturday, the revised figure had grown to $3.1 million as the full scope of affected wallets became clear.

How the Attack Got In

Polymarket explained what happened in a post on X shortly after the attack was made public. A third-party vendor the platform uses had been compromised. Whoever accessed that vendor injected a malicious script into Polymarket's frontend, meaning users interacting with the site were exposed to code designed to steal wallet approvals or drain funds without their knowledge.

The company said it contained the breach, removed the compromised dependency, and was contacting affected users directly. It also pledged full refunds to every PUSD holder impacted by the attack.

That refund commitment is important, and I want to give Polymarket credit for making it quickly and publicly. But the question of how a compromised third-party vendor was able to inject malicious code into a live production frontend is one that deserves a much fuller answer than the platform has provided so far.

This Isn't the First Time

What makes this particularly difficult to look past is the pattern. In March, blockchain investigator ZachXBT flagged a suspected security breach that reportedly resulted in over $520,000 from two smart contracts on Polygon. Polymarket's response at the time was to say the funds were safe, a claim that itself generated confusion given ZachXBT's findings.

Before that, in December, Polymarket confirmed a security incident affecting its Discord channel after users reported missing funds and suspicious login attempts. That breach was attributed to an unidentified third-party login provider.

Third-party vendor. Third-party login provider. Compromised dependency. Every single one of these incidents has a third-party component in the explanation. That is a supply chain security problem that goes beyond any individual hack, it's a pattern that points to insufficient vetting and monitoring of the external services Polymarket relies on.

The Federal Investigation Layer

I don't want to conflate the hack with the regulatory situation, because they're separate issues. But I'd be doing readers a disservice if I didn't acknowledge that they've landed on top of each other.

Reports surfaced this week that U.S. federal authorities are examining Polymarket in connection with allegedly deceptive social media marketing, specifically around promotions where users appeared to boast about winnings in ways that may have misled potential participants.

Polymarket has not publicly confirmed or commented on the investigation. But the combination of an active federal inquiry and a $3.1 million phishing attack in the same news cycle is an objectively difficult week for a company trying to establish itself as the serious, institutionally credible alternative to traditional prediction markets.

The refunds will help with the immediate user trust problem. The security pattern and the regulatory scrutiny are longer-term conversations that won't resolve with a single statement on X.