Polymarket hit by $2.9M theft, users to be refunded
A third-party vendor compromise injected a malicious script into Polymarket’s frontend, affecting multiple users and enabling a phishing attack that drained an estimated $2.94 million from at least 11 wallets. Polymarket said the issue has been contained, the affected dependency removed, and users will be fully refunded. The incident was the 89th reported crypto security breach in the second quarter, extending the most-hacked quarter on record by incident count. June crypto exploit losses reached $74.9 million across 29 incidents, up from May but far below April’s spike. Major losses included Humanity Protocol, Secret Network, Aztec, and Taiko. Over the past 30 days, private key compromises were the leading attack vector, accounting for 43% of reported losses. Polymarket had also disclosed a separate $600,000 exploit about a month earlier tied to an old internal private key.
