Polymarket Says a Vendor Breach Let Hackers Steal User Funds

A hack at the crypto betting platform Polymarket shows how an attacker can drain user funds without ever breaking the core software.

What happened

Polymarket said hackers compromised a third-party vendor whose code runs on its website and used that access to inject malicious code, stealing cryptocurrency from users, TechCrunch reported. The company said it had "contained" the incident and was contacting affected users and "refunding them in full," according to a post on X. A spokesperson confirmed the theft but declined to give details.

This is a supply-chain-style attack: Polymarket's own application and the blockchain smart contracts that settle its bets were not directly broken into. Instead, a trusted outside vendor was compromised, letting attackers piggyback on that relationship at the website layer — where users actually click and transact.

How much, and who

The blockchain-security firm PeckShield estimated the theft at about $3 million in crypto, and a separate analyst counted more than 11 victims, TechCrunch said. Polymarket has not confirmed either figure, and the full scope was still unclear; at least two users had reported missing funds publicly before the company's disclosure. PeckShield also flagged a phishing campaign aimed at Polymarket users around the same time, though it isn't confirmed whether that is the same incident.

What Polymarket is

Founded in 2020, Polymarket is one of the largest prediction markets by volume. Users deposit crypto — mostly the dollar-pegged stablecoin USDC — and bet on real-world outcomes, from elections and Fed decisions to sports, with winning contracts paying $1 and losing ones $0. It runs on the Polygon blockchain and drew mainstream attention during the 2024 U.S. election. Because balances are held in transferable crypto, they make an attractive target.

Why the distinction matters

For users, the lesson is uncomfortable: a platform can have audited, secure smart contracts and still lose customer funds through the ordinary web infrastructure around them. A contract exploit and a vendor-injected script produce the same result — money gone. The reassuring part is that the theft appears confined to the interface layer rather than the settlement layer, and Polymarket has pledged full reimbursement; the open questions are how much was taken, how many were hit, and which vendor was breached. The company has not yet published a post-mortem.

A rough week

The breach caps a bad stretch. Days earlier, an investigation found Polymarket had paid online creators to post videos depicting fake winning bets, prompting the company to say it would audit its promotional content. For the fast-growing prediction-market sector, the episode is a reminder that operational security — vendors, websites, ad partners — is now as consequential as the cryptography underneath.