New York, June 26, 2026, 04:02 EDT
- Polymarket plans to reimburse users who were hit by a vendor frontend script, the company said.
- Public estimates say the drain is around $2.94 million to $3 million.
- User losses seem limited, but each user lost brings a big dollar hit.
- Investors are worried about trust in market data and controls. The cash outlay isn’t what’s bothering them.
Polymarket’s latest hack is small next to its market valuation. But the numbers point to changing risk for investors—it’s less about smart contracts and more about the web layer users see.
Polymarket said on Thursday that a third-party vendor was compromised, which let attackers slip malicious code onto its frontend seen by some users. The company said it contained the issue, removed the bad dependency, and is now contacting users who lost funds to offer refunds. A Polymarket spokesperson, Connor Brandi, told TechCrunch that user funds were stolen but didn’t say more.
Specter, an on-chain analyst, estimated a $2.94 million loss across at least 11 Polymarket accounts. Cryptopolitan, referencing Specter, reported the stolen funds were PUSD at first, swapped for ETH, and sent to a single wallet. Each account lost roughly $267,000, before any possible recovery.
Polymarket exploit involved fewer than 15 accounts, according to Bubblemaps, Decrypt said. With that limit, average losses top $200,000 per account if the numbers hold up. The wallets targeted had PUSD, the token tied to the dollar and backed by USDC that Polymarket traders use.
SlowMist’s hack tracker labeled the incident as a supply-chain attack. About $3 million got drained from PUSD. Polymarket removed the dependency that was hit, according to SlowMist.
Investors are shrugging off the cash loss. The $2.94 million compares to the $1.48 billion in prediction-market open interest a16z Crypto reported for the week ended June 15, or about 0.2%.
Intercontinental Exchange (NYSE:ICE) said in October it would invest up to $2 billion in Polymarket, valuing the company at $8 billion before the investment. ICE is also set to offer institutional investors access to Polymarket’s event-driven data. ICE CEO Jeffrey Sprecher called Polymarket “building usage and distribution.” Polymarket CEO Shayne Coplan said the investment brings prediction markets into the “financial mainstream.” Intercontinental Exchange
Polymarket head of experience William LeGate pushed back on claims that users would lose money. “We are refunding affected users in whole, there are no user ‘losses’,” he told Gizmodo. Gizmodo
The rule cuts the impact on customers if refunds are paid. But it leaves investors with questions—what vendor risk is still sitting between a trader’s wallet and the market ICE wants to set up for institutional data?
Polymarket is facing its second security issue in just over a month after the breach on June 25. Back in May, CoinDesk reported that attackers stole more than $520,000 from two Polygon smart contracts. Polymarket’s developers said the May theft was due to a private key being compromised from an internal ops wallet. At that time, Polygon Labs CTO Mudit Gupta said, “Polymarket contracts are safe. User funds are safe.” CoinDesk
This week, the issue showed up on the frontend. For a consumer company, that’s at the checkout.
Polymarket was hacked after a Wall Street Journal investigation, TechCrunch said, that found the company paid creators to post deceptive videos showing fake trades and winnings. Polymarket said it will audit its promos.
Polymarket has not named the vendor involved, isn’t saying how many users are affected, and hasn’t disclosed its dollar loss.
