Polymarket confirmed on Thursday that hackers stole roughly $3 million from users through a supply chain attack: a third-party vendor it had not named was compromised, injecting malicious JavaScript into Polymarket’s frontend for some users. When affected users connected their wallets to the site, the injected script prompted them to sign or approve transactions that drained their PUSD – Polymarket’s native stablecoin on Polygon, backed 1:1 by USDC, which became the platform’s primary trading collateral after an April 2026 upgrade. PeckShield estimated losses at roughly $3 million from more than 11 victims. On-chain investigator Specter documented the fund flows in real time: the stolen PUSD was swapped for ETH and consolidated into a single Ethereum address carrying approximately 1,893 ETH, a standard technique for obscuring a theft trail and making recovery orders more difficult to enforce. Polymarket said it had contained the incident, removed the affected dependency, and was refunding victims in full. YourNewsClub reads the refund-in-full pledge as the commercially rational response – $3 million in user losses on a platform that generated $24 billion in combined monthly trading volume with Kalshi in April 2026 is operationally manageable; the reputational cost of not covering them is not.
The technical anatomy of the attack is the part that matters for Polymarket’s longer-term security credibility. This was not an exploit of Polymarket’s core smart contracts, which held. It was a supply chain compromise: an external vendor’s code was tampered with, served to users through Polymarket’s frontend, and user funds were siphoned through social engineering at the wallet approval stage rather than a direct protocol exploit. The same category of attack has targeted multiple web3 platforms in recent years, typically by compromising JavaScript libraries that major platforms load from external sources. Polymarket has not disclosed which vendor was compromised, which prevents any meaningful external assessment of how the attack could be prevented.
This is not the first Polymarket security incident of 2026. In May, blockchain investigator ZachXBT flagged a separate incident in which roughly $520,000 was drained from two Polymarket smart contracts on Polygon. That incident targeted the protocol’s operational infrastructure rather than its users directly. The June 25 attack was different in structure: it targeted users’ wallets through a compromised vendor rather than Polymarket’s own contracts. Together, the two incidents document a pattern: Polymarket’s core protocol has remained secure while its surrounding infrastructure has failed twice in under two months. YourNewsClub spots that infrastructure-versus-protocol distinction as the most commercially significant framing for how Polymarket should be assessed – the smart contracts appear to be working; everything built around them carries compounding exposure.
The broader context amplifies the stakes. On Sunday, an investigation revealed that Polymarket had paid online creators to post deceptive videos claiming to show personal winnings that were fabricated. Polymarket committed to auditing its promotional content. Three days later, the hack. That combination – fraudulent marketing and a customer fund theft in the same week – creates exactly the conditions that trigger regulatory attention at platforms operating in grey-zone financial markets. The CFTC investigated and settled with Polymarket in 2022.
Alex Reinhardt, who tracks financial systems and settlement infrastructure through digital protocols, draws the structural exposure: “A prediction market dealing with fraudulent creator content, an operational wallet compromise, and a frontend supply chain theft in the same month is running a trust deficit that compound interest cannot fix. The refund covers the $3 million. It does not cover what else in Polymarket’s vendor stack has similar access.” Maya Renn, whose work focuses on the ethics of computation and access to power through technology, frames the disclosure gap: “Polymarket has not named the compromised vendor. Every other platform that uses the same vendor is now exposed without knowing it. Disclosure of the vendor’s identity is not optional from an ecosystem security standpoint – it is the minimal requirement for a responsible incident response.” YourNewsClub flags the unnamed vendor as the most commercially consequential undisclosed fact in the incident report.
Your News Club marks any regulatory filing that follows this incident as the first moment where the absence of voluntary vendor disclosure becomes a formal liability.