Polymarket Suffers $3M Theft from Supply-Chain Attack via Third-Party Vendor

On June 25, 2026, Polymarket confirmed a security breach that led to the theft of approximately $3 million from fewer than 15 user accounts. The attack was executed through a compromised third-party vendor, which allowed hackers to inject malicious code into Polymarket's website frontend. The stolen funds primarily consisted of Polymarket's pUSD stablecoin, which were quickly converted to Ethereum (ETH) to obscure the trail. Blockchain analysts reported that over 11 wallets were affected, with the attackers consolidating the stolen assets into a single address. Polymarket has assured all impacted users that they will be fully reimbursed and has removed the compromised vendor dependency. This incident follows a previous breach in May 2026, where the platform lost approximately $700,000 due to a separate attack targeting employee wallets. The company is now facing scrutiny regarding its vendor vetting processes and security measures.

Key Points: • Polymarket lost $3 million due to a supply-chain attack via a compromised vendor. • Fewer than 15 user accounts were directly affected, with funds primarily in pUSD. • The incident follows a previous breach in May 2026, raising concerns about Polymarket's security practices.