Key Highlights
- A phishing attack targeting Polymarket users drained around $3 million in PUSD.
- Attackers exploited a compromised third-party frontend vendor, injecting malicious scripts.
- Stolen funds were bridged from Polygon to Ethereum and swapped into 1,893 ETH.
A sophisticated phishing campaign has targeted users of the prediction market platform Polymarket, resulting in approximately $3 million worth of PUSD being drained from victim wallets.
In an X post on Thursday, blockchain security firm PeckShieldAlert highlighted the incident, revealing that the attacker successfully bridged the stolen funds from Polygon to Ethereum before swapping them into roughly 1,893 ETH.
On-chain data confirms the scale of the breach. A wallet address starting with 0xe65b1C… (currently holding 1,892.92 ETH valued at approximately $2.96 million at current prices) received multiple large incoming transfers in quick succession, including 138.7 ETH, 832.8 ETH, 114 ETH, 210 ETH, 272 ETH, and 325.4 ETH. These transfers occurred roughly one to two hours ago and align with the timeline of the reported phishing campaign.
Polymarket reacts swiftly to the incident
The phishing operation reportedly involved a compromised third-party vendor that injected a malicious script into Polymarket’s frontend. This allowed the attacker to siphon PUSD from users who interacted with the affected interface. The stolen stablecoins were then rapidly bridged across chains and converted into ETH, a common tactic used by exploiters to obscure trails and liquidate funds quickly.
Polymarket responded swiftly to the incident. In an official statement on X, the platform acknowledged, “This morning we discovered a third-party vendor had been compromised, injecting a malicious script into our frontend for some users. We’ve contained it & removed the affected dependency. We’re contacting impacted users & refunding them in full.”
The company said the vulnerability was limited and that remediation efforts are already underway. Polymarket has committed to reimbursing all affected users.
Third-party dependencies increase security risks
While the platform itself was not directly hacked, the compromise of a third-party dependency highlights the supply chain vulnerabilities that continue to plague Web3 applications. Users are reminded to exercise caution with wallet connections, verify URLs, and avoid interacting with suspicious prompts.
The attacker’s ability to bridge funds from Polygon to Ethereum and consolidate them into a single wallet demonstrates the speed and efficiency of cross-chain exploitation tactics.
The incident adds to a difficult year for DeFi security. More than $840 million was lost across over 50 incidents during the first five months of 2026, representing a 70% year-over-year increase.
The worst came in April, when two mega-hacks dominated: KelpDAO lost around $292 million via a LayerZero bridge exploit involving spoofed cross-chain messages, and Drift Protocol on Solana was drained of around $285 million through sophisticated key/credential theft linked to persistent adversaries.
Polymarket faces additional scrutiny
The security incident comes as Polymarket faces scrutiny following a Wall Street Journal investigation that alleged the platform paid offshore content creators to produce videos showing winning bets on lookalike websites.
The report claims Polymarket compensated mostly college-age creators to film themselves placing and winning large bets on lookalike websites mimicking the real platform. According to the Journal, which reviewed over 1,100 videos, none of the roughly $1.9 million in showcased bets were genuine. Many were staged on dummy domains such as “poiymarket.com,” with creators celebrating fabricated wins that would have resulted in substantial losses on the actual platform.
Also Read: How Europol Helped Freeze $47M in Crypto Tied to Cybercrime
