Key facts
- Approximately $3.1 million in PUSD tokens was stolen from 11 Polymarket user wallets.
- The stolen funds were transferred from Polygon to Ethereum.
- Polymarket identified a compromised third-party vendor as the cause of the hack.
- The platform has committed to providing full refunds to all affected PUSD holders.
- This is the latest in a series of security incidents for Polymarket.
Hackers stole approximately $3.1 million in Polymarket's native PUSD token from 11 user wallets, moving the funds from the Polygon network to Ethereum, according to blockchain intelligence firm AMLBot. Polymarket stated that a compromised third-party vendor injected a malicious script into its frontend, leading to the phishing attack. The platform has since removed the dependency and pledged to refund all affected PUSD holders in full.
This incident marks another security challenge for Polymarket, which has experienced previous breaches. In March, over $520,000 was reportedly drained from two smart contracts on the Polygon blockchain, and in December, a security incident on its Discord channel was blamed on a third-party login provider. The news of the phishing attack also comes amid reports that Polymarket is under federal investigation for allegedly deceptive social media promotions.