Polymarket hack losses have climbed to an estimated $3.1 million after blockchain analytics firm AMLBot revised its tally upward, intensifying questions about the prediction market platform's
Polymarket hack losses have climbed to an estimated $3.1 million after blockchain analytics firm AMLBot revised its tally upward, intensifying questions about the prediction market platform's pledge to fully refund affected users.
On June 25, 2026, Polymarket disclosed that a compromised third-party vendor had injected a malicious script into its frontend, affecting a subset of users. The platform said it had contained the incident, removed the affected dependency, and was contacting impacted users. For related coverage, see ESMA orders unauthorized crypto providers to halt EU clients.
Two days later, CoinDesk reported that AMLBot's revised estimate put total user losses at about $3.1 million, up from earlier tallies near $3.04 million. The updated count tied the stolen funds to 11 victim wallets.
Updated Estimated Losses $3.1 million AMLBot's revised tally, as reported by CoinDesk on June 27, 2026, raised the estimated impact from earlier counts and tied the losses to 11 victim wallets.Security firm C/side attributed the breach to a client-side supply-chain attack that exploited the Ads Providers dependency chain. The malicious payload only executed after a user clicked a specific button, making the compromise harder to detect through routine monitoring.
The stolen PUSD on Polygon was reportedly bridged to Ethereum and swapped into ETH, a laundering path that complicates recovery. No first-party Polymarket postmortem or wallet-by-wallet reconciliation has been published, meaning the $3.1 million figure rests on AMLBot's independent analysis rather than an official platform-issued total.
In its June 25 statement, Polymarket said it would refund impacted users in full. The pledge was notable for its speed, arriving before the platform had publicly confirmed a final loss total.
The main questions center on scope and timing. The fetched reporting did not surface a public deadline for completing refunds, an eligibility framework, or a tracking dashboard. With the loss estimate still climbing days after the initial disclosure, users have limited visibility into when or how they will be made whole.
The incident also landed while U.S. authorities were already scrutinizing Polymarket over alleged regulatory violations, as TechCrunch reported. That existing federal attention adds pressure to execute the refund cleanly, since any perceived shortfall could compound reputational and legal exposure.
The hack is distinct from a smart-contract exploit. C/side's analysis confirmed the vulnerability sat in a third-party frontend dependency, not in Polymarket's on-chain infrastructure. That distinction matters for the refund calculus: the platform's core contracts and treasury were not breached, which in principle leaves it better positioned to honor the pledge.
A rising loss figure paired with an open-ended refund commitment creates a trust problem that extends beyond the immediate financial damage. Polymarket has built significant scale, with annualized revenue recently topping $1 billion, but the hack tests whether the platform's operational security matches its growth trajectory.
The broader crypto market backdrop adds context. The Crypto Fear & Greed Index sat at 18, registering Extreme Fear, at the time of the incident's escalation.
Crypto Fear & Greed Index 18 The benchmark registered Extreme Fear, giving the article a concise sentiment datapoint alongside the hack-loss update.Supply-chain attacks targeting frontend dependencies have become a recurring threat across crypto platforms. A similar pattern emerged earlier this year when a separate exploit drained $1.58 million from a Balancer pool, underscoring the vulnerability of DeFi-adjacent interfaces to compromised third-party code.
For affected users, the immediate priority is confirming whether their wallets are among the 11 identified by AMLBot and watching for direct communication from Polymarket about refund mechanics. The platform has not announced a public timeline, and no completion status has been shared as of June 28, 2026.
Whether Polymarket can close the gap between its refund promise and verifiable payouts will likely shape how both users and regulators assess the platform's credibility in the weeks ahead, particularly given the ongoing insider trading case already testing public confidence in its operations.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency and digital asset markets carry significant risk. Always do your own research before making decisions.
Read original article on nftenex.com
