Polymarket confirmed Friday that hackers drained approximately $3 million from users through a compromised third-party vendor that injected malicious code into the platform’s website, according to PeckShield. The prediction-market platform said it had contained the breach and would refund affected users in full.

“This morning we discovered a 3rd party vendor had been compromised, injecting a malicious script into our frontend for some users,” Polymarket’s official X account posted Friday. “We’ve contained it & removed the affected dependency. We’re contacting impacted users and refunding them in full.”

Blockchain security firm PeckShield estimated that roughly $3 million in pUSD, Polymarket’s USDC-backed trading stablecoin on Polygon, was stolen. A blockchain analyst cited by SecurityWeek confirmed losses from at least 11 victim accounts. The attacker bridged the stolen funds from Polygon to Ethereum and swapped them into approximately 1,893 ETH. On-chain analytics firm Bubblemaps concluded that fewer than 15 accounts were affected overall.

Supply-Chain Vector

The attack did not touch Polymarket’s core smart contracts or backend servers. Instead, the attacker compromised an unnamed third-party software dependency that Polymarket’s web frontend loads. When users connected their wallets on the affected site, a hidden script triggered transaction-approval prompts, routing funds to attacker-controlled wallets. Polymarket has not publicly identified which vendor was breached.

The attack vector follows a now-documented pattern in crypto. In December 2023, an attacker hijacked a former Ledger employee’s npm publishing credentials and pushed malicious versions of `@ledgerhq/connect-kit`, a JavaScript library loaded by more than 100 DeFi frontends. That supply-chain compromise drained user funds before a patch went live. Polymarket’s breach follows the same logic: the protocol layer stayed intact while the delivery mechanism for the web interface was turned against users.

Second Breach in Two Months

Polymarket, valued at approximately $9 billion, saw $25.7 billion in March 2026 trading volume alone. Monthly global prediction-market volume has scaled to approximately $21 billion, per TRM Labs research.

Friday’s breach is the platform’s second reported security incident in recent months. Polymarket has pledged to absorb the full cost of refunds so that no affected user suffers a net loss.

Regulatory Backdrop

The breach arrived alongside separate reports from Bloomberg and CNBC that the CFTC has opened a broad investigation into Polymarket, following a Wall Street Journal investigation revealing a misleading influencer marketing campaign. The Defiant reported that bipartisan senators had asked the CFTC chair whether the agency was probing that campaign. The WSJ investigation found $1.9 million in apparent fabricated wins across creator videos.

Polymarket received CFTC clearance to re-enter the U.S. market in November 2025 after years of blocking American users, and launched a regulated app in December 2025 under that approval. The Defiant covered Zuckerberg’s move to order Meta to build a competing prediction-market app codenamed Arena and to explore potential partnerships with Polymarket and Kalshi.

The CFTC investigation is ongoing with no timeline announced. Polymarket has not disclosed when affected users will receive their refunds.