The attack resulted in a phishing attack that stole an estimated $2.94 million from at least 11 user wallets. The platform contained the incident, removed the affected dependency, and said impacted users will be fully reimbursed.
Polymarket Users Lose $2.94 Million
Polymarket confirmed that a third-party vendor compromise allowed attackers to inject a malicious script into its frontend. This led to a phishing attack that drained an estimated $2.94 million from at least 11 user wallets. The incident was discovered on Thursday and has since been contained.
Blockchain analyst Specter identified the attack as a phishing campaign that targeted users through the compromised frontend rather than exploiting Polymarket's core infrastructure. In response, Polymarket assured users that the issue had been resolved and pledged to fully reimburse those affected by the attack.
The incident adds to an already concerning trend in the cryptocurrency industry. According to DefiLlama, the Polymarket attack was the 89th reported crypto security breach during the second quarter. This makes it the highest quarter on record by the number of hacking incidents.
Crypto exploit losses reached approximately $74.9 million across 29 reported incidents in June. This is more than May's total of $60.5 million but is still well below April's $644 million.
Among the largest exploits recorded during June were the $36 million Humanity Protocol hack, a $4.7 million exploit affecting the Secret Network bridge, two separate $2.1 million exploits targeting Aztec, and a $1.7 million bridge exploit on Taiko.
DefiLlama data also showed that private key compromises were responsible for 43% of exploit losses over the past 30 days, making them the most common attack vector. Fake proof exploits accounted for 10% of reported losses, while reverse MEV honeypots represented 8%, using deceptive trading opportunities to manipulate automated trading bots.
The latest security incident comes only a month after Polymarket disclosed a separate $600,000 exploit linked to a six-year-old private key used for internal top-up operations. At the time, Vice President of Engineering Josh Stevens said the platform's smart contracts and user funds remained secure and confirmed that all permissions associated with the compromised key had been revoked.
