Polymarket to refund users after $2.94M frontend phishing attack

Polymarket has confirmed that attackers compromised a third party vendor and used the access to inject malicious code into the platform’s frontend, leading to a phishing attack that drained an estimated $2.94 million from users.

Polymarket disclosed on X that it has removed the affected dependency, contained the incident, and will fully reimburse affected users. 

Blockchain analyst Specter estimated that the attack drained funds from at least 11 wallets after the malicious script appeared on the platform’s frontend.

Frontend compromise targets user wallets

Specter identified the attack as a phishing campaign rather than a protocol exploit. The analyst said the injected script enabled attackers to steal funds from connected wallets after users interacted with the compromised interface.

DefiLlama recorded the incident as the 89th reported crypto security breach of the second quarter, making it the highest quarterly total by incident count in the platform’s records.

DefiLlama also reported $74.9 million in losses across 29 crypto exploits during June. That total exceeded May’s $60.5 million but remained well below April’s $644 million.

The platform listed the $36 million Humanity Protocol exploit as June’s largest attack. Other major incidents included a $4.7 million exploit involving the Secret Network bridge, two separate $2.1 million exploits affecting Aztec, and a $1.7 million bridge exploit on Taiko.

DefiLlama reported that private key compromises accounted for 43% of exploit losses over the past 30 days. Fake proof exploits represented 10% of losses, while reverse MEV honeypots accounted for 8%.

Previous exploit traced to compromised private key

Polymarket disclosed a separate security incident about a month earlier after attackers exploited a six year old private key used for internal top up operations and stole about $600,000.

Security researchers, including ZachXBT, PeckShield, and Bubblemaps, initially flagged suspicious activity involving Polymarket’s UMA CTF Adapter contract on Polygon. Bubblemaps reported that attackers withdrew 5,000 POL every 30 seconds before estimating total losses at roughly $600,000.

Polymarket protocol contributor Shantikiran Chanal later attributed that incident to a compromised wallet used for internal operations rather than a vulnerability in the platform’s contracts or core infrastructure. 

Josh Stevens, the company’s vice president of engineering, stated at the time that user funds and smart contracts remained secure and that all permissions linked to the compromised key had been revoked.