Hackers stole an estimated $3 million from fewer than 15 Polymarket accounts after a supply-chain attack compromised a third-party frontend vendor, allowing malicious JavaScript to trick users into approving fraudulent transactions on the official Polymarket website. The company’s own servers and backend infrastructure were not affected.
The $9 billion prediction platform, founded in 2020, confirmed the breach in a statement and pledged full reimbursement to all impacted wallets. Polymarket said it had contained the incident. It didn’t name the compromised vendor.
Blockchain security firm PeckShield put losses at approximately $3 million in ParyonUSD. The attacker bridged the stolen funds from Polygon to Ethereum and converted them into roughly 1,893 ETH. Visual analytics company Bubblemaps tracked the affected wallets and confirmed the attack hit fewer than 15 accounts, publishing a list of impacted addresses and the wallets holding the stolen funds.
Supply-chain attacks of this type don’t need to crack a smart contract. Targeting a frontend vendor dependency bypasses the core protocol entirely and turns the platform’s own interface into the attack vector. Polymarket’s $9 billion valuation makes absorbing a $3 million reimbursement feasible. For a smaller prediction market running the same third-party dependency stack without the same capital, it isn’t.
Polymarket hasn’t disclosed which vendor was compromised, what remediation steps are planned, or whether law enforcement has been contacted.
James Okafor