A third-party vendor compromise allowed attackers to inject malicious code into Polymarket’s frontend, leading to a phishing drain from user wallets, according to blockchain analyst Specter. The incident was discovered on Thursday and reportedly targeted at least 11 Polymarket users, with Specter estimating losses of $2.94 million.
Polymarket said on X that the issue has been contained, the affected dependency removed, and that users will be fully refunded. While Cointelegraph attempted to follow up for additional comment, no response was received before publication.
Key takeaways
- Specter attributed the Polymarket incident to malicious script injection following a vendor compromise, with an estimated $2.94 million drained from at least 11 wallets.
- Polymarket states the compromise has been contained and that the impacted dependency was removed, with full user refunds promised.
- DefiLlama data shows June exploit losses reached $74.9 million across 29 incidents—more than May’s $60.5 million, but far below April’s $644 million.
- Across the last 30 days, private key compromises accounted for 43% of reported exploit losses, making it the leading attack vector.
- DefiLlama’s breakdown points to other recurring methods, including “fake proof” exploits (10%) and reverse MEV honeypots (8%).
Polymarket: vendor compromise leads to frontend phishing
Specter said the malicious script appeared to be designed to facilitate phishing, ultimately draining funds from multiple Polymarket wallets. The key operational detail in the account is that the attacker did not need to compromise Polymarket’s core smart contracts directly; instead, the issue originated from a third-party vendor compromise that enabled code injection into the platform’s frontend.
That distinction matters for users because frontend-based attacks can succeed even when on-chain contracts remain intact. In practice, phishing scripts can trick users into approving malicious actions, entering credentials into spoofed interfaces, or signing transactions that benefit attackers.
Polymarket’s response emphasized containment and remediation: the platform said the compromise has been stopped, the problematic dependency removed, and affected users will receive full refunds. With those steps, the immediate risk of further wallet draining should decline, though users will still want to monitor their accounts and transaction history for any suspicious approvals.
Why this sits within a larger pattern of crypto incidents
The Polymarket event comes amid a sustained run of reported crypto security breaches. DefiLlama data lists the Polymarket incident as the 89th reported crypto security breach of the second quarter. That count extends what DefiLlama categorization describes as the most-hacked quarter on record by incident count.
Earlier in June, DefiLlama’s monthly totals already reflected elevated activity. June exploit losses climbed to $74.9 million across 29 reported incidents, surpassing May’s $60.5 million. However, April’s $644 million remains the standout outlier for magnitude, underscoring that while breach frequency remains high, individual months can vary dramatically based on whether large incidents occur.
June’s reported exploit losses: the biggest June incidents
DefiLlama’s aggregation highlights several of the largest June events. The most prominent was the $36 million Humanity Protocol exploit. Other notable losses included the $4.7 million Secret Network bridge exploit, two Aztec-related exploits worth $2.1 million each, and a $1.7 million bridge exploit tied to Taiko, according to the article’s cited figures and linked coverage.
Taken together, the list shows that bridge ecosystems and cross-chain integrations continue to attract high-impact attacks. While frontend phishing attacks like Polymarket’s are distinct from bridge exploits, both categories fall under the broader umbrella of “exploit losses”—the measurable outcomes when attackers successfully compromise systems or user interactions.
Attack vectors over the last month: key compromise still leads
DefiLlama data summarized in the piece indicates that the primary driver of reported exploit losses over the past 30 days was private key compromise, responsible for 43% of losses. Fake proof exploits accounted for 10%, while reverse MEV honeypots made up 8% of losses, based on DefiLlama’s breakdown.
The vector mix is useful because it shifts how defensive priorities are framed. Private key compromise suggests either user-side weakness (including wallet security practices) or operational weaknesses involving signing keys—issues that often persist across unrelated protocols. Meanwhile, fake proof and reverse MEV honeypots reflect more sophisticated adversarial tactics at the application and execution layers, targeting how systems validate claims or how trading bots execute orders.
The article also notes that roughly a month before Polymarket’s latest attack, the prediction market disclosed a separate $600,000 exploit traced to a six-year-old private key used for internal top-up operations. Polymarket leadership said at the time that user funds and contracts were safe and that permissions tied to the key had been revoked, emphasizing that the platform has dealt with operational key risks before.
Polymarket’s scale and what users should monitor next
DefiLlama data cited in the article places Polymarket’s total value locked at over $450 million, up 301% from $112 million a year earlier. As platforms grow, they often become more attractive targets—not only for contract-level attacks but also for the broader supply-chain and integration risks that can surface through third-party dependencies.
Going forward, readers should watch for two signals: confirmation from Polymarket and security analysts that the injected frontend dependency is fully removed and no similar vendor-based pathways remain, and whether wallet-level incidents prompt changes in how users interact with the platform (for example, renewed scrutiny of approvals and transaction prompts). With refunds promised, the immediate impact may be contained, but the recurrence of earlier key-related disclosures underscores that operational security remains a critical focus for both users and the platforms they rely on.