Polymarket’s $3 Million Frontend Hack Hits 11 Wallets Holding PUSD

Polymarket got hit. A suspected phishing attack on one of the platform’s third-party vendors let hackers inject malicious scripts directly into the prediction market’s frontend, draining nearly $3 million from users who held the platform’s stablecoin, PUSD.

The breach came to light through an announcement on Polymarket Traders X. Per the post, the compromised dependency has since been removed and the platform says it will fully refund every user affected. Eleven wallets took the hit. The stolen PUSD was quickly converted into Ethereum and moved to a single address — 0xe65b1C586757c5510B60F998Eebb14C1eF71E1eD — according to crypto security analyst Specter, who tracked the movement of funds in real time. That kind of rapid conversion is pretty much textbook for this type of attack: swap the stolen assets fast, consolidate into one address, and make tracing harder.

Eleven wallets. Almost $3 million gone.

A Third-Party Vendor Did the Damage

The attack vector here wasn’t Polymarket’s core contracts or its own backend infrastructure. It was an external vendor — a third-party dependency baked into the frontend. Hackers targeted that outside partner, got a foothold, and from there quietly pushed malicious code into what users actually see and interact with when they open the site. Users holding PUSD in connected wallets had no obvious reason to suspect anything was wrong. The scripts did their job before most people knew the breach was even happening.

Specter’s analysis pointed to phishing tactics as the likely method used to compromise the vendor in the first place. Once inside, the attackers moved with speed and coordination. The stolen funds didn’t sit anywhere for long — the swap to ETH happened fast, and the consolidation into that single address was clean. It suggests a group that knew exactly what it was doing and had a plan ready before the first script ever loaded.

Polymarket said it’s reached out for comment but further details from the company are still pending. No additional disclosures have come yet.

Second Major Breach in Consecutive Months

What makes this worse is the timing. Last month — not six months ago, not a year ago — Polymarket dealt with a separate security incident. That one involved a compromised old private key and cost the platform $700,000. The company was clear that the private key breach didn’t touch its contracts or core infrastructure, but that’s cold comfort when you’re now looking at a second incident in as many months, this one nearly four times bigger.

Related: $5.1 Million Hits Tornado Cash in 20 Transactions After jaredfromsubway.eth Exploit

Two hacks back to back. That’s a rough stretch for any platform.

The crypto space broadly has watched third-party supply chain attacks become more common and more damaging. Malicious code injected through external dependencies is hard to catch before it causes harm — the code often looks legitimate, arrives through a trusted channel, and sits inside someone else’s system that the main platform doesn’t directly control. It’s a known weak point, and attackers have gotten good at exploiting it.

Polymarket isn’t the only platform that’s faced this kind of exposure. Across the industry, projects that rely on external JavaScript libraries, widget providers, or analytics tools have found themselves vulnerable to exactly this type of indirect attack. The frontend is often treated as lower-risk than smart contracts or private key management, but incidents like this one keep proving that assumption wrong.

The refund commitment from Polymarket matters. For the eleven affected users, getting their funds back is the immediate priority, and the platform moving quickly on that probably softens some of the reputational damage. But promises to refund don’t automatically rebuild confidence in the security posture itself, especially with a second incident on the books so soon.

What Polymarket hasn’t done yet — at least publicly — is lay out what changes it’s making to how it vets and monitors third-party vendors going forward. That’s the piece the crypto community is probably most interested in right now. The removal of the compromised dependency is a reactive step. What’s the proactive one?

More context: MemeCores M Token Loses 80% in Hours, Wiping Out $3 Billion as Insider Manipulation Fears Grow

Unclear. No details on that yet.

The investigation is ongoing. Specter and other on-chain analysts are still tracking the wallet at 0xe65b1C586757c5510B60F998Eebb14C1eF71E1eD. The stolen ETH hasn’t moved to any known exchange as of the latest reports, which means the funds are probably still sitting there — or moving through mixers. Either way, recovery looks unlikely without a broader law enforcement action.

Eleven wallets. $3 million. And the platform is still waiting on further comments to share.