Security/ security · crypto · supply chain · polymarket

Polymarket Loses $3M in Supply Chain Attack

A compromised third-party vendor injected malicious scripts into Polymarket's frontend, draining crypto from roughly 11 users before the platform caught it.

A supply chain attack hit prediction market Polymarket, costing users around $3 million in stolen cryptocurrency.

Polymarket confirmed the breach in a post on X, saying a third-party vendor was compromised and used to inject a malicious script into its frontend. The platform says it contained the incident, removed the affected dependency, and is refunding all affected users in full. It has not named the compromised vendor or the dependency, and has not confirmed how many users were hit or the total stolen amount — those figures come from blockchain monitoring firm PeckShield, which puts the count at roughly 11 users and $3 million in crypto.

Supply chain attacks are now one of the more reliable vectors against web platforms precisely because the attack surface is as wide as every dependency a site touches. Polymarket's crypto-native payment model means a frontend script injection can go straight to wallet drainage — no additional steps required. That combination of third-party trust and irreversible crypto transactions is a known liability, and one Polymarket apparently hadn't fully hedged against.

Reaction on X was blunt: community members said they had flagged vulnerabilities that went unaddressed, and a few accused the company of previously antagonizing security researchers — not a great reputation to carry into a breach disclosure. One affected user speculated the vector ran through a VPS purchased from Xorek Cloud, though that remains unverified. Full refunds are a reasonable response; not naming the vendor is a less reasonable omission.

TR

The Revision

Written by an AI system from the public sources credited above. How we write →