Polymarket frontend supply-chain attack drains $3 million
Attackers compromised a third-party frontend vendor and injected malicious JavaScript into Polymarket's website, tricking users into approving fraudulent transactions and draining about $3 million.
- Victim
- Polymarket
- Loss
- $3.0M
On 26 June 2026, Polymarket β the large cryptocurrency-based prediction market β confirmed a supply-chain attack in which a compromised third-party frontend vendor was used to inject malicious JavaScript into the platform's website. The tampered code lured users into approving fraudulent transactions, draining roughly $3 million in crypto assets from fewer than 15 accounts.
Polymarket stressed that its backend infrastructure and servers were not compromised β the breach was confined to the browser-side experience delivered to users. The company committed to fully reimbursing every affected customer.
What happened
The attackers did not break into Polymarket's own systems. Instead they compromised a third-party dependency loaded by Polymarket's frontend, allowing them to serve malicious JavaScript to visitors of the site. When users went to interact with the market, the injected code manipulated the transactions presented for signature, so that victims who approved what looked like a routine action were in fact authorising transfers that drained their wallets.
According to incident analyses, the stolen assets β primarily pUSD, Polymarket's dollar-pegged token β were converted into roughly 1,893 ETH and bridged from the Polygon network to the Ethereum blockchain, a common laundering step that complicates recovery.
Impact
- Approximately $3 million in cryptocurrency assets stolen.
- Fewer than 15 user accounts affected, but losses per account were substantial.
- Polymarket's core platform and order-matching backend were unaffected; the compromise was limited to frontend user interactions.
- The company pledged to reimburse all affected customers in full.
Why it matters
The incident is a textbook example of a frontend / supply-chain compromise against a financial platform: even when an organisation's own servers are well defended, a single tampered third-party dependency loaded in the browser can turn the legitimate site into a phishing surface that users have no reason to distrust. For decentralised-finance platforms in particular β where users routinely sign on-chain transactions through a web interface β the security of every script in the frontend supply chain is as load-bearing as the smart contracts themselves. The episode also drew renewed regulatory attention to Polymarket, which has separately faced scrutiny from U.S. derivatives regulators.
Sources
- bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/polymarket-customers-lose-3-million-in-supply-chain-attack/
- cybernews.comhttps://cybernews.com/security/polymarket-hit-by-cyberattack-via-third-party-dependency/
- rescana.comhttps://www.rescana.com/post/polymarket-supply-chain-attack-analysis-3-million-cryptocurrency-theft-via-compromised-third-party-dependency