The prediction market platform Polymarket has been hit by a major exploit that drained roughly $3 million from its users' funds. The breach traces back to Thursday, when one of the company's third-party vendors was hacked, leaving Polymarket's website exposed to an attack.
In a post on X, the company explained that the hack let attackers inject malicious code into the prediction market's front-end. Polymarket did not say publicly which of its vendors had been compromised.
$3 Million Gone, Fewer Than 15 Accounts Hit
In the end, the hackers made off with around $3 million in customer money. According to blockchain investigations firm Bubblemaps, on-chain data shows the potential damage was largely contained, with fewer than 15 user accounts affected. On June 25, 2026, Bubblemaps also shared the addresses of some of the impacted Polymarket accounts.
Polymarket says it is in the process of refunding affected customers in full, and that the front-end issue has been contained and removed.
How the Funds Were Drained
The attackers pulled money from Polymarket customer wallets holding pUSD, the platform's own dollar-pegged stablecoin backed by USDC that is used to facilitate every trade on the site. They then converted the stolen funds into ETH and compiled them into an Ethereum wallet, where, as of writing, they remain.
A Second Hit in As Many Months
This is not the first time Polymarket has been targeted. Last month, the company suffered another hack, this one involving a wallet that employees used to top up and pay out user rewards. That exploit cost roughly $700,000 and was likely caused by a private key compromise. At the time, experts said it did not appear to affect the company's infrastructure or pose broader risks.
What the Attack Reveals
It remains unclear what steps the prediction market platform can take to prevent such an exploit in the future, given that it relies on external, third-party businesses that are apparently directly involved in running the site. Both last month's incident and this one point to the same uncomfortable reality: even when a company's core protocols stay secure, hackers can still infiltrate big firms around the edges.
