A compromised third-party provider allowed hackers to inject malicious code on Polymarket’s interface, stealing about 3 million dollars from more than 11 users. The predictive markets platfor
A compromised third-party provider allowed hackers to inject malicious code on Polymarket’s interface, stealing about 3 million dollars from more than 11 users. The predictive markets platform controlled the incident and announced full reimbursement for the victims. In a sector under increasing scrutiny, the flaw raises questions about the security of front-end layers.
The blockchain security firm Peckshield estimated the damage at 3 million dollars, spread over at least 11 victims. However, Polymarket did not suffer a direct breach. The attackers targeted a third-party provider whose code was delivered via the platform’s web interface, injecting a fraudulent script that prompted users to validate fake transactions.
Your 1st cryptos with CoinbaseThis link uses an affiliate program.This type of attack, called a “supply chain compromise,” is particularly feared in the crypto industry. Instead of targeting a platform’s directly secured systems, hackers go up to its software dependencies.
Visitors loading the compromised page saw apparently legitimate signature requests, which actually gave attackers control over their wallets.
According to Polymarket itself, the platform removed the affected dependency and now has full control over the incident. On-chain markets never exposed locked funds; only users who approved fraudulent transactions saw their wallets drained.
The incident occurs as prediction markets face a period of increased scrutiny. Polymarket and its competitor Kalshi recorded a record April 2026, and Polymarket claims over 100 million transactions to date. This visibility attracts regulators as much as attackers.
On the regulatory side, the CFTC recently took legal action against Kentucky, which is trying to apply its own rules to prediction markets by equating them with sports betting, a jurisdictional battle between federal authority and local legislators illustrating ongoing regulatory tensions around platforms like Polymarket and Kalshi.
The platform had also deployed Chainalysis monitoring tools to strengthen the integrity of its markets. This June hack adds operational security to an already long list of concerns.
This hack demonstrates a reality well-known to DeFi protocols and exchanges: the robustness of smart contracts does not protect against flaws that settle upstream, in the visible layer. Polymarket handles the crisis with quick reimbursements, but trust in the security of web interfaces remains the sector’s weak link.
