New York, June 26, 2026, 04:02 EDT
- Polymarket said it plans to pay back users affected by a vendor-borne frontend script.
- Public estimates put the drain at about $2.94 million to $3 million.
- The user hit looks narrow, but the dollar loss per user is high.
- Investor concern is around trust in market data and controls. The cash outlay isn’t the problem.
Polymarket’s recent hack isn’t big compared to the value the market puts on the prediction-market operator. Still, the numbers show investors that risk is shifting—now less about smart contracts, more about the web layer users interact with.
Polymarket said Thursday a third-party vendor got compromised, letting attackers inject malicious code into its frontend for some users. The company said it has contained it, taken out the affected dependency, and is reaching out to users who lost money to refund them. TechCrunch reported that Polymarket spokesperson Connor Brandi confirmed user funds were stolen but gave no extra details.
Specter, an on-chain analyst, put the loss at $2.94 million spread over at least 11 Polymarket accounts. Cryptopolitan, citing Specter’s findings, said the funds started as PUSD, were converted to ETH, then sent to a final wallet. That’s about $267,000 per affected account, not including any possible refund.
Decrypt said Bubblemaps counted fewer than 15 affected accounts. That cap means the theft averages over $200,000 per account if accurate. The stolen wallets contained PUSD, the Polymarket-only token tracking the dollar and backed by USDC, which traders use on the platform.
SlowMist’s hack tracker called it a supply-chain attack. Around $3 million was drained from PUSD. Polymarket took out the impacted dependency, SlowMist said.
Investors aren’t focused on the cash loss. The $2.94 million figure is roughly 0.2% of the $1.48 billion in prediction-market open interest that a16z Crypto reported for the week ended June 15.
Intercontinental Exchange (NYSE:ICE) in October said it would put as much as $2 billion into Polymarket, valuing it at $8 billion pre-investment. ICE also plans to give institutional investors access to Polymarket event-driven data. ICE CEO Jeffrey Sprecher called Polymarket “building usage and distribution,” and Polymarket CEO Shayne Coplan said the deal brought prediction markets to the “financial mainstream.” Intercontinental Exchange
William LeGate, who heads experience at Polymarket, responded to talk that users would take a loss. “We are refunding affected users in whole, there are no user ‘losses’,” he told Gizmodo. Gizmodo
That limits the hit to customers if refunds go out. But it leaves investors asking: how much vendor risk is still between a trader’s wallet and the kind of market ICE aims to build around institutional data.
Polymarket is dealing with its second security incident in just over a month after the June 25 breach. In May, CoinDesk said attackers took more than $520,000 from two Polygon smart contracts. According to Polymarket developers, that theft was caused by a private-key compromise linked to an internal operations wallet. At the time, Polygon Labs CTO Mudit Gupta said, “Polymarket contracts are safe. User funds are safe.” CoinDesk
This week’s incident stands out as the problem was in the frontend. For a consumer market, that’s basically at the cash register.
The hack follows a Wall Street Journal probe, as TechCrunch summarized, that reported Polymarket paid creators to release misleading videos with fake trades and fake winnings. Polymarket said it plans to audit its promotional content.
Polymarket isn’t saying which vendor was involved, how many users were affected, or what its own loss is in dollars.
