Polymarket lost nearly $3M after a supply-chain attack injected malicious code, draining PUSD from user wallets while pledging refunds.
Author: Akshat Thakur
High attention and emotional sentiment detected.
On June 25, 2026, a Polymarket hack drained close to $3 million from user wallets in a single morning. Attackers compromised a third-party vendor, then slipped malicious code into the Polymarket frontend. The script targeted PUSD, the platform’s main collateral token.
High Signal Summary For A Quick Glance
On-chain investigator Specter first flagged the theft. According to his report, the attacker drained PUSD from at least 11 victim wallets. Soon after, the stolen funds left Polygon and moved into Ethereum.
The attack started with a compromised third-party vendor. Because Polymarket loads outside scripts into its site, that vendor became an entry point. As a result, malicious JavaScript reached the frontend for a subset of users.
When affected users connected their wallets, the injected code went to work. It tricked them into approving or signing transactions that handed over their PUSD. So the loss came through the official site, not a fake clone.
This was a supply-chain compromise, not a smart contract exploit. In other words, Polymarket’s on-chain contracts kept working as designed. Instead, the weak point sat in the code delivered to users’ browsers.
According to Specter’s analysis, roughly $2.94 million in PUSD vanished from at least 11 wallets. PeckShield later amplified the report with details on the fund flows.
The timeline moved fast. Around 14:28 UTC, Specter first reported the drain. Roughly 15 minutes later, Polymarket acknowledged the breach publicly. Soon after, PeckShield added the bridging and swap details.
PUSD is Polymarket’s native collateral token on Polygon. It launched during the April 2026 platform upgrade. The token is an ERC-20 asset backed 1:1 by USDC, with that backing enforced on-chain.
Before that upgrade, traders posted bridged USDC.e as collateral. PUSD then replaced it as the primary trading asset. Today it backs most positions across the platform, so its security matters to nearly every active user.
Because PUSD now sits at the center of trading, it made a natural target. The malicious script focused on draining it directly from connected wallets. Reportedly, the vector involved malicious approvals or signature requests.
Once approved, the attacker moved the PUSD out quickly. Then the funds were bridged from Polygon to Ethereum. After the bridge, the attacker swapped the proceeds into roughly 1,893 ETH.
Notably, PUSD held its peg through the incident. It still trades near $1.00 on Polygon, with CoinGecko showing about $0.9998. So the theft hit individual wallets, not the token’s backing.
The on-chain trail is clear, even if the attacker is not. Specter traced the stolen value into a single consolidation address. That wallet, 0xe65b1C…71E1eD, gathered the swapped ETH.
Investigators also flagged several other theft addresses tied to the drain. Specter named wallets such as 0xC771A30a and 0xC44F2Ca6 among the staging points. Two more, 0x10366AdB and 0x7BCECe0d, appear in the same flow.
These wallets show the bridge and swap activity that Specter and PeckShield highlighted. Etherscan and Polygonscan both record the movement publicly. Because every step is on-chain, analysts can follow the funds in real time.
Swapping into ETH is a familiar laundering step. Because ETH is deeply liquid, it is easier to move and harder to freeze. Still, the funds remain visible on-chain for now, which keeps recovery on the table.
Polymarket acknowledged the Polymarket hack the same morning. In a public statement, the platform said it had contained the issue. It also removed the affected dependency that let the script through.
The platform went further on victims. According to Polymarket, it is contacting impacted users and refunding them in full. That pledge covers the wallets drained during the attack.
This is not Polymarket’s first security scare. In May 2026, an internal ops wallet key was compromised, draining around $500,000, though user funds stayed safe. Earlier phishing through comment sections also cost users in 2025.
Each of those cases hit the perimeter rather than the protocol. The June 25 incident fits the same pattern. So the contracts held, but the surrounding infrastructure failed.
Timeline of the Polymarket Frontend Supply-Chain Attack
A third-party service provider used by Polymarket is compromised, allowing attackers to inject a malicious script into the Polymarket frontend. The supply-chain attack affects only a subset of users interacting with the platform.
The malicious frontend script begins targeting connected wallets, ultimately draining approximately $2.94 million to $3 million in PUSD from more than 11 victim wallets on Polygon.
After stealing the assets, the attacker bridges the compromised funds from Polygon to Ethereum in preparation for laundering and consolidation.
The bridged assets are swapped on Ethereum into approximately 1,893 ETH, after which the attacker consolidates the proceeds into a primary wallet.
On-chain investigator SpecterAnalyst publicly reports the exploit, identifying losses of approximately $2.94 million, more than 11 affected wallets, and the attacker’s consolidation address.
Polymarket acknowledges that a third-party vendor was compromised and confirms that malicious code had been injected into the frontend. The company states that the issue has been contained and pledges to fully reimburse all affected users.
PeckShieldAlert amplifies the incident, confirming that the stolen assets were bridged from Polygon to Ethereum and ultimately swapped into approximately 1,893 ETH.
Polymarket continues coordinating victim reimbursements and incident response. No separate public statement has yet been issued by the PUSD issuer, and the broader investigation remains ongoing.
This attack shows that the frontend is now a real attack surface. A trusted site can turn hostile if one vendor is breached. Therefore, connecting a wallet to any dapp carries risk that contracts alone cannot remove.
Users can take a few practical steps right now. First, revoke token approvals you no longer need using a trusted revoke tool. Next, treat unexpected signature requests with suspicion, even on familiar sites.
A hardware wallet adds another layer, since it forces a manual check before signing. None of this is financial advice. Still, basic approval hygiene remains one of the strongest defenses against drains like this one.
For now, Polymarket says refunds are coming and the threat is contained. The open questions are the vendor’s identity and the full victim count. As recovery efforts continue, the on-chain trail gives investigators a clear place to keep watching.
Our Crypto Talk is committed to unbiased, transparent, and true reporting to the best of our knowledge. This news article aims to provide accurate information in a timely manner. However, we advise the readers to verify facts independently and consult a professional before making any decisions based on the content since our sources could be wrong too. Check our Terms and conditions for more info.
Desran
@Desu_mationYT
@PolymarketTrade Not like I was saying something like this yesterday ;) https://t.co/tQGKU37ljx... they eating good though lol.
Now if I told you that there is several bridge vulns connected to several of the highest contracts on poly what would you say? MMM crypto is so fun. Can't wait to see what happens soon. Several, more incoming I'd guess ;). Myoglobin, and Insulin Folding in light for 20 folds. https://t.co/mUbx8NYf4o https://t.co/P5PC13KiJX
05:50 PM·Jun 25, 2026
Vee
@leaveVeeAlone
@PolymarketTrade I spent weeks telling you this and you ignored it. The next time l find a vulnerability, l will sell it to criminal gangs.
This morning we discovered a 3rd party vendor had been compromised, injecting a malicious script into our frontend for some users. We've contained it & removed the affected dependency. We're contacting impacted users & refunding them in full.
04:39 PM·Jun 25, 2026
john pera
@isweepyou
@PolymarketTrade lol. imagine trusting a third party vendor for anything on the internet. https://t.co/VUaBQd5K6o
This morning we discovered a 3rd party vendor had been compromised, injecting a malicious script into our frontend for some users. We've contained it & removed the affected dependency. We're contacting impacted users & refunding them in full.
02:44 PM·Jun 25, 2026
Polymarket Hack Drains $3M in PUSD via Frontend Exploit
SecondFi Wallet Exploit Drains 16 Million ADA From Users
Jaredfromsubway Exploit Funds Move To Tornado Cash Despite 50% Bounty
Taiko Bridge Exploit Drains $1.7M Through SGX Key Exposure
Polymarket Hack Drains $3M in PUSD via Frontend Exploit
SecondFi Wallet Exploit Drains 16 Million ADA From Users
Jaredfromsubway Exploit Funds Move To Tornado Cash Despite 50% Bounty
Taiko Bridge Exploit Drains $1.7M Through SGX Key Exposure
