Polymarket Wallet Theft After Frontend Script Injection
About $3.1 million in PUSD was taken from 11 user wallets after Polymarket said a compromised third-party vendor injected malicious code into parts of its frontend; full refunds were promised.
Reporting on 2026-06-27 indicated that about $3.1 million in PUSD was stolen from 11 Polymarket user wallets after malicious code was reportedly injected into the platform’s frontend through a compromised third-party vendor.<sup class="cite">[1]</sup><sup class="cite">[3]</sup> The stolen assets were said to have been taken from Polygon and bridged to Ethereum.<sup class="cite">[2]</sup> Polymarket stated that it had contained the incident, removed the affected dependency, and would refund impacted users in full.<sup class="cite">[4]</sup> What is established in the present record is the reported loss amount, wallet count, bridge movement, and the platform’s stated remediation steps.<sup class="cite">[1]</sup><sup class="cite">[2]</sup><sup class="cite">[4]</sup> What remains contested is the precise classification of the event—phishing, vendor compromise, or a combination of both—and the final recovery or reimbursement outcome.
This post-mortem relied on the source record provided in the brief, principally CoinDesk’s contemporaneous reporting, which attributed factual elements to Polymarket, AMLBot, and PeckShield.<sup class="cite">[1]</sup><sup class="cite">[2]</sup><sup class="cite">[3]</sup><sup class="cite">[4]</sup><sup class="cite">[5]</sup> Verification was limited to claims explicitly contained in that record: reported losses, affected wallet count, stated asset movement, the platform’s description of the frontend compromise, and the announced refund commitment.<sup class="cite">[1]</sup><sup class="cite">[2]</sup><sup class="cite">[3]</sup><sup class="cite">[4]</sup> No independent on-chain reconstruction, court filing review, or wallet-level attribution was available in the brief, so unresolved points are treated as unestablished rather than inferred.
The incident concerned a reported theft of about $3.1 million in Polymarket’s PUSD token from 11 user wallets, disclosed in reporting dated 2026-06-27.[1] The available record described the event as a user-wallet compromise associated with Polymarket’s web interface rather than as a protocol-level drain of treasury assets or a smart-contract exploit.[1][3] At the same time, the public characterization of the mechanism was not fully uniform: Polymarket attributed the event to a compromised third-party vendor that injected malicious code into its frontend for some users, while PeckShield described the activity as a phishing campaign targeting Polymarket users.[3][5]
The earliest pivotal element established in the record was Polymarket’s statement that a third-party vendor had been compromised and that this compromise resulted in a malicious script being injected into the frontend seen by some users.[3] That description matters because it places the initial point of failure outside the core application logic and inside a dependency or service relationship that had effective control over code delivered to end users.[3] In practical terms, the reported mechanism implied that users interacted with a legitimate interface that had been altered in transit or at the dependency layer, creating conditions under which wallet approvals or signing flows could be manipulated without a direct breach of the users’ devices being established in the public record.[3] As of 2026-06-27, however, the dossier did not establish the exact malicious payload, the duration of exposure, or whether all affected users encountered the same injected behavior.
A second pivotal element was the reported scope of loss. CoinDesk stated that hackers stole about $3.1 million in PUSD from 11 user wallets.[1] The concentration of losses in a limited number of wallets suggested a targeted or selectively successful campaign rather than a platform-wide compromise affecting all active users, although the present record did not establish how the 11 wallets were selected or whether they shared common behavioral or technical characteristics.[1] Because the losses were described at the wallet level, the incident appears in the record as a compromise of user-controlled assets mediated through the frontend environment, not as an unauthorized transfer from a centralized omnibus account.[1][3]
The third pivotal element was post-theft movement. Reporting stated that the stolen assets were taken from Polygon and immediately bridged to Ethereum.[2] That sequence is consistent with a common laundering or obfuscation step in cross-chain thefts: assets are removed from the chain of origin and transferred into another execution environment before further dispersal.[2] In this case, the bridge movement was attributed in the reporting to external blockchain-intelligence analysis rather than to a public law-enforcement filing or a platform-issued forensic report.[2] The brief did not provide transaction hashes, destination addresses, or subsequent routing behavior after arrival on Ethereum, so the public record summarized here supports only the narrower statement that the funds were reported to have moved from Polygon to Ethereum.[2]
Public explanation of the attack vector remained partly bifurcated. Polymarket’s own statement framed the event around a compromised vendor and malicious frontend dependency, whereas PeckShield said hackers had deployed a phishing campaign targeting Polymarket users.[3][5] These descriptions are not necessarily mutually exclusive. A malicious script inserted into a legitimate frontend can function as a phishing instrument if it induces users to sign deceptive approvals or transactions while believing they are interacting with the expected interface.[3][5] Even so, the present dossier did not establish whether the operative theft mechanism was a fraudulent signature request, a token approval abuse, credential capture, or another user-action pathway. For that reason, the most defensible classification on the current record is a hybrid one: social engineering delivered through a third-party frontend compromise.[3][5]
Polymarket stated that it had contained the incident and removed the affected dependency.[4] That response indicated that the platform treated the malicious code path as identifiable and severable, at least at the dependency level described in its statement.[4] The same statement said the platform was contacting impacted users and refunding them in full.[4] On the available record, this refund commitment was the principal remediation measure publicly disclosed. No court filing, insurer statement, or later platform accounting was included in the brief to confirm whether refunds had been completed, whether they covered all categories of loss, or whether reimbursement came from treasury funds, reserves, counterparties, or another source.[4]
The documented consequences were therefore threefold. First, users reportedly lost about $3.1 million in PUSD across 11 wallets.[1] Second, the stolen assets were reportedly bridged from Polygon to Ethereum, complicating straightforward chain-local tracing.[2] Third, the incident occurred amid separate reporting that Polymarket was under federal investigation over allegedly deceptive social media promotions, a contextual factor noted by CoinDesk but not causally linked in the present record to the theft itself.[6] Beyond those points, the brief did not establish arrests, civil litigation, asset freezes, or a confirmed recovery amount.[4]
Discussion
In CryptoMortem’s archive context, this event ranked #43 of 57 by severity and #24 of 29 within the hack category, placing it in the lower-severity portion of the catalogue by loss size despite the operational significance of the compromise. The attack vector classification supplied in the brief, social_engineering, had 6 prior events in the archive with cumulative $0.36B affected and mean recovery 50.0%; among those, 1 was fully recovered and 1 had low/no recovery. That comparison is relevant because the present record includes a refund pledge but no confirmed recovery or reimbursement completion. Within the broader hack set, there were 12 other records in the archive, with mean recovery 91.6% and mean resolution 465 days. On that benchmark, the Polymarket case presently sits in an indeterminate state: remediation was announced quickly, but resolution cannot yet be scored from the available evidence. The structural patterns attached to the brief were also recurrent rather than exceptional. The pattern social_engineering_attack_vector had been observed in 10 prior events, including 5 in the past 12 months. single_point_of_control had appeared in 31 prior events, including 15 in the past 12 months. absence_of_withdrawal_monitoring had appeared in 15 prior events, including 10 in the past 12 months. Those recurrence counts place the incident within a well-established failure family: a user-facing compromise delivered through a concentrated control point, followed by asset movement before intervention. In an archive of 58 total events, with 28 in the 12 months preceding this incident, the case fits an increasingly common pattern in which the decisive weakness lies not in core protocol code but in the trust boundary around interfaces, dependencies, and transaction-signing prompts.
Comparative analytics
All comparisons computed against the 58-event CryptoMortem archive at time of publication.
- Severity rank across full archive: #43 of 57 (26.3th percentile).
- Severity rank within same event type: #24 of 29.
- Attack vector "Social Engineering": 6 prior events in archive, cumulative $357M, mean recovery 50.0%; 1 fully recovered, 1 with low or no recovery.
- Event type "Hack": 12 other records in archive, mean recovery 91.6%, mean resolution 465 days.
- Pattern "Social Engineering Attack Vector": observed in 10 prior events (5 in the past 12 months).
- Pattern "Single Point Of Control": observed in 31 prior events (15 in the past 12 months).
- Pattern "Absence Of Withdrawal Monitoring": observed in 15 prior events (10 in the past 12 months).
- Archive context: 58 events catalogued; 28 in the 12 months preceding this incident.
Limitations
The present record is narrow. It does not establish the attacker’s identity, whether a single actor or multiple actors were involved, or whether the incident should be classified primarily as phishing, third-party vendor compromise, or both. It also does not provide the exact wallet addresses, transaction hashes, or a full on-chain path beyond the reported movement from Polygon to Ethereum. Although Polymarket said impacted users would be refunded in full, the dossier does not confirm a final reimbursement amount, a completion date, or whether any stolen assets were directly recovered. No court filings, law-enforcement statements, or independent forensic reports were included in the brief.
Timeline
- CoinDesk reports updated loss estimate
CoinDesk published that the Polymarket incident had been updated to about $3.1 million.
source → - Funds bridged from Polygon to Ethereum
AMLBot said the stolen assets were taken from Polygon and immediately bridged to Ethereum.
source → - Polymarket cites compromised vendor
Polymarket said a third-party vendor had been compromised and a malicious script injected into its frontend.
source → - Platform promises full refunds
Polymarket said it had contained the issue, removed the dependency, and would refund impacted users in full.
source → - PeckShield describes phishing campaign
PeckShield said the attack was a phishing campaign targeting Polymarket users.
source → - Federal-investigation reporting cited
CoinDesk said the phishing report followed coverage that Polymarket was under federal investigation over allegedly deceptive social media promotion.
source →
Who was involved
- AMLBotprojectbystander
- PeckShieldprojectbystander
- Specter Analystprojectbystander
- Polymarketprojectvictim$3.1M
Legal record
- Sentence
- null
- Verdict Date
- null
Structural failures identified
Sources
- Polymarket hack updated to $3.1 million days after the platform promised users full refunds, CoinDesk — Loss estimate, affected wallets, bridge movement, Polymarket response, phishing characterization, and federal-investigation context