Polymarket frontend supply-chain attack drains $2.94 million from 11 wallets

Attackers breached a third-party vendor to inject malicious JavaScript into Polymarket's frontend on June 25, draining approximately $2.94 million in PUSD from at least 11 user wallets before the platform contained the incident the same day.

The attack exploited no smart-contract flaw. The malicious script activated when users connected their wallets to Polymarket's site, approving PUSD token transfers without their knowledge. PUSD is the platform's USDC-backed collateral token, held on Polygon. Once drained, funds were bridged to Ethereum and consolidated into approximately 1,893 ETH at address 0xe65b1C586757c5510B60F998Eebb14C1eF71E1eD, routed through multiple staging wallets.

On-chain investigator Specter was first to publicly report the drain. Polymarket confirmed the breach approximately 15 minutes after Specter's disclosure and removed the compromised dependency the same day. The company's statement: "We've contained it & removed the affected dependency. We're contacting impacted users & refunding them in full." Growth Lead William LeGate confirmed the refund commitment to Benzinga. Blockchain analytics firm Bubblemaps assessed the damage as limited, with fewer than 15 accounts affected. The identity of the compromised vendor has not been publicly disclosed.

Second security incident in 2026

This is Polymarket's second security incident in 2026. In May, a compromised employee wallet used for account top-ups and reward payments cost the platform roughly $500,000 to $700,000 depending on the source: Blockonomi reported approximately $500,000 while Decrypt reported approximately $700,000; user trading funds were not directly at risk in that case. The two incidents mark two distinct attack layers: internal infrastructure in May, the frontend delivery layer in June.

Frontend infrastructure as the new attack surface

As contract-layer code has received more formal auditing, attackers have shifted toward surrounding infrastructure: JavaScript dependencies, vendor libraries, and CDN-hosted scripts that reach every connected wallet simultaneously without touching the protocol. A poisoned frontend script needs no contract vulnerability; it needs only a dependency that can be compromised upstream.

Prediction markets route high-value user wallets through a web frontend for positions on events from elections to macroeconomic data releases. Stolen funds remain consolidated on-chain.