Polymarket hit by $2.9M theft, users to be refunded
A third-party vendor compromise let attackers inject a malicious script into Polymarket’s frontend, affecting multiple users. Blockchain analyst Specter said the script enabled a phishing attack that drained an estimated $2.94 million from at least 11 wallets. Polymarket said the issue was contained, the affected dependency was removed, and users will be fully refunded. The incident was the 89th reported crypto security breach of Q2, making it the most-hacked quarter on record by incident count. Across June, crypto exploit losses totaled $74.9 million over 29 incidents, up from May but far below April’s spike. Leading attack vectors recently included private key compromises, fake proof exploits, and reverse MEV honeypots. Polymarket also recently disclosed a separate $600,000 exploit tied to an old internal private key.
