Polymarket Users Lose $3.1M in Phishing Attack as Hackers Move 1,891 ETH

Prediction market platform Polymarket is facing one of its largest security incidents to date after blockchain intelligence firms traced roughly $3.1 million in stolen user funds to a sophisticated phishing attack that compromised the platform’s frontend through a third-party vendor.

Blockchain security firm AMLBot said attackers drained approximately $3.1 million worth of PUSD from 11 user wallets on Polygon before rapidly laundering the proceeds through multiple blockchain networks.

The stolen assets were converted into ETH and consolidated across three newly created Ethereum wallets, where nearly 1,892 ETH currently remains under observation.

The incident has renewed concerns over frontend attacks targeting decentralized applications, highlighting how compromised third-party software can expose users even when a protocol’s smart contracts remain secure.

Try Our Recommended Crypto Exchanges

Attackers drained wallets through compromised frontend code

According to AMLBot, the attack relied on phishing techniques combined with malicious EIP-7702 delegated execution to trick users into signing wallet approvals that ultimately emptied their accounts.

Rather than exploiting Polymarket’s underlying smart contracts, attackers compromised a third-party vendor and inserted malicious code into software running on parts of the platform’s frontend.

Polymarket Under Attack

Polymarket users were drained of ~$3.1M in PUSD on Polygon via phishing / malicious EIP-7702 delegated execution.

Funds were converted to USDC.e via Relay, bridged to Ethereum, swapped to ETH, and consolidated at… pic.twitter.com/bG3GYZZ1D9

— AMLBot (@AMLBotHQ) June 27, 2026

The code tricked some users into approving wallet transactions that transferred their assets to the attackers.

Blockchain investigators traced the stolen PUSD as attackers moved it from Polygon through Relay, swapped it for USDC.e, and bridged it to Ethereum. They then exchanged the funds for ETH and consolidated nearly all of it into three newly created wallets.

AMLBot identified the largest address as holding approximately 1,788.5 ETH, while two additional wallets currently contain roughly 100 ETH and 3.4 ETH, respectively. The company said it continues actively monitoring the addresses for any attempts to move or launder the funds.

The attack resembles previous supply-chain compromises in the crypto industry, including the 2024 incident affecting decentralized exchange aggregator 1inch, where attackers exploited the widely used Lottie Player library to inject wallet-draining code into the platform’s web interface.

Polymarket promises refunds after confirming vendor compromise

Polymarket acknowledged the incident shortly after investigators identified it, confirming that a compromised third-party dependency injected malicious code into parts of its frontend.

The company removed the affected dependency, contained the attack, and stressed that the incident did not affect its core protocol or smart contracts.

On June 25th, #Polymarket was hit by a phishing attack, causing ~$3M in losses across multiple users.

We saw a lot of people tracing the funds through bridges from #Polygon to #Ethereum, and from $USDC to $ETH, mostly successfully. Two wallets have been reported holding almost… pic.twitter.com/NENrGLOMpm

— Noxos Intelligence (@NoxosIntel) June 27, 2026

“We’ve contained it and removed the affected dependency,” the company said, adding that it had begun contacting affected users and would refund victims in full.

Earlier estimates placed the losses at approximately $2.94 million, but AMLBot’s latest forensic analysis raised the total to roughly $3.1 million across 11 compromised wallets.

Security researchers noted that frontend attacks are particularly dangerous because users often have little indication that anything is wrong.

While the website may appear entirely legitimate, malicious JavaScript loaded through compromised third-party libraries can generate fraudulent wallet prompts that closely resemble legitimate transaction requests.

Latest breach adds to growing security and regulatory pressure

The phishing incident comes during an increasingly difficult period for Polymarket, which has faced several security-related controversies over the past year.

In March, blockchain investigator ZachXBT flagged a separate security incident after an over $520,000 drain from two Polygon smart contracts. Polymarket later maintained that user funds remained safe in that case.

#PeckShieldAlert Specter has reported that a #phishing campaign appears to be targeting #Polymarket users, with ~$3M worth of $PUSD drained.

The attacker bridged the stolen funds from #Polygon to #Ethereum and swapped them into ~1,893 $ETH. pic.twitter.com/Li4nZY1me4

— PeckShieldAlert (@PeckShieldAlert) June 25, 2026

The platform also confirmed a Discord security incident in December after users reported suspicious login attempts and missing funds.

According to previous industry reports, DefiLlama records the latest exploit as the 89th crypto security breach during the second quarter, making it the busiest quarter on record by the number of incidents.

The attack also arrives as prediction markets face heightened political scrutiny in Washington. US lawmakers have questioned regulators over alleged deceptive advertising practices by prediction market platforms, adding further pressure on the sector as it continues to expand into mainstream financial markets.

Polymarket Users Lose $3.1M in Phishing Attack as 1,891 ETH Moves to Fresh Wallets

Attackers drained wallets through compromised frontend code

Polymarket promises refunds after confirming vendor compromise

Latest breach adds to growing security and regulatory pressure

Related