Polymarket, one of the biggest prediction market platforms in the world, has confirmed that hackers stole funds from an unknown number of its users. The breach came through a third-party vendor, not Polymarket’s own systems directly, but the result was the same: real money, gone.
According to TechCrunch, the company posted on X confirming that a vendor compromise allowed attackers to inject malicious code into the Polymarket website, though only “for some users.” Polymarket says it has contained the incident and is now reaching out to affected users to refund them in full.
The full picture is still fuzzy. Polymarket spokesperson Connor Brandi confirmed to TechCrunch that user funds were stolen but declined to answer specific questions about how the attack worked or how many people were affected.
Blockchain monitoring firm PeckShield flagged a phishing campaign targeting Polymarket users around the same time the company posted its statement. PeckShield estimated that roughly $3 million worth of cryptocurrency was taken. A separate blockchain analyst reported similar figures and said the funds were stolen from more than 11 victims. In the days before the confirmation, at least two users had posted on social media claiming their Polymarket funds had disappeared.
The timing makes this especially bad for Polymarket. Just days earlier, the platform was already dealing with a separate controversy. An investigation published Sunday found that Polymarket had paid online creators to post fake videos showing them winning large bets that never actually happened. The company responded by saying it would audit its promotional content.
This latest incident points to a risk that any crypto-adjacent platform faces: the attack surface is not just your own code, it is every vendor you depend on. A single compromised third party can give attackers a way to reach users directly, whether through injected scripts, phishing pages, or wallet-draining malware. The fact that users lost real funds, and that the company is now having to refund them, shows how quickly trust can erode when that chain breaks.
Polymarket lets users bet on the outcomes of real-world events and pays out in cryptocurrency. That model has made it popular, but it also means any security failure hits users where it hurts most: their wallets. For a platform that has built its reputation on transparency and open markets, a week like this one is a serious problem.