Polymarket Hack Climbs to $3.1 Million Despite Promised Full Refunds
The attack hit 11 accounts through a phishing campaign and a compromised vendor; Polymarket says it fixed the vulnerability and is arranging PUSD refunds.

Key Takeaways
- Polymarket was hit by a hack that reportedly stole about $3.1 million in PUSD tokens from 11 user accounts.
- The attack started with a phishing campaign and a compromised vendor that injected malicious code into the platform's frontend.
- Polymarket says it fixed the vulnerability and is promising full refunds in PUSD for affected users.
Polymarket, the decentralized prediction market platform, has been hit by a major hack that reportedly drained about $3.1 million in PUSD from users. Investigators say the attackers used a phishing campaign targeting 11 accounts, then moved the stolen funds from Polygon to Ethereum.
Details of the Attack and Polymarket's Response
The breach came to light after a third-party vendor used by Polymarket was compromised and a malicious script was inserted into the platform's frontend for some users. Polymarket says it has now removed the affected dependency, fixed the issue, and contacted impacted users with a promise to make them whole in PUSD, the platform's native transaction token.
Blockchain security firm PeckShield reported that the attackers' phishing effort led to the theft of roughly 1,893 ETH, worth nearly $3 million at the time. The estimated loss was later revised by AMLBot to $3.1 million. One victim also posted about the incident on social media, saying their wallet was drained without them understanding how the attack happened.
Recent Security Issues and Investigation
This is not the first security problem Polymarket has faced. In March, reports surfaced of a possible exploit that drained more than $520,000 from two smart contracts on the Polygon blockchain. Polymarket said at the time that user funds were safe. Before that, in December, the platform flagged another security incident in its Discord channel after users reported missing funds and suspicious login attempts. That earlier issue was tied to a third-party login provider.
At the same time, Polymarket is under federal scrutiny over reports of misleading social media marketing, including posts that ranked users by profits. The probe comes after earlier penalties and restrictions, including a $1.4 million fine from the U.S. Commodity Futures Trading Commission (CFTC) in 2022 for offering binary contracts without the proper licenses.
Why This Matters for European Crypto Users
Polymarket may have returned to the U.S. market after acquiring a CFTC-licensed exchange, but the platform is still facing pressure abroad. It remains banned in countries including France, Brazil, and India over compliance concerns tied to gambling and betting rules. For European crypto users, the incident is another reminder to stay cautious on decentralized platforms, where phishing remains a major risk and security standards are still evolving. It also reflects a broader shift in crypto attacks, where criminals increasingly exploit people and operations instead of code alone, as shown by crypto security requires more than audits to prevent losses.