Prediction market platform Polymarket has pledged to reimburse customers who lost funds during a Polymarket supply chain attack that compromised part of its website. Attackers injected malicious JavaScript through a third-party frontend dependency, allowing them to trick users into approving fraudulent cryptocurrency transactions.
The company said the incident affected only its website’s frontend and did not compromise its backend infrastructure or internal servers.
Third-Party Dependency Enabled the Attack
According to Polymarket, attackers breached one of the platform’s frontend vendors before inserting malicious code into the website.
Visitors who accessed the official Polymarket site during the attack unknowingly interacted with the altered code. Instead of displaying obvious signs of compromise, the malicious script prompted some users to approve blockchain transactions that transferred funds to attacker-controlled wallets.
Because the attack originated from a trusted third-party dependency, users had little reason to suspect anything unusual while browsing the platform.
Polymarket Promises Full Customer Reimbursement
Polymarket confirmed that it will fully reimburse everyone who lost funds during the incident.
Although the company has not disclosed the exact number of affected users, blockchain security firms estimate that attackers stole roughly $3 million in cryptocurrency from a relatively small group of accounts.
The attack appears to have targeted users rather than the platform itself, allowing Polymarket to avoid any compromise of customer accounts stored on its own infrastructure.
Blockchain Investigators Trace the Stolen Funds
Blockchain security company PeckShield analyzed the attackers’ activity and concluded that the campaign stole approximately $3 million worth of ParyonUSD.
Researchers said the attackers later bridged the stolen assets from the Polygon network to Ethereum before exchanging the funds for approximately 1,893 Ether (ETH).
The movement of funds across public blockchains allowed investigators to follow the transactions after the theft.
Meanwhile, blockchain analytics firm Bubblemaps reported that the incident appears to have affected fewer than 15 accounts. The company also identified several wallets linked to the stolen cryptocurrency, helping researchers monitor where the assets moved after the attack.
Supply Chain Attacks Continue to Threaten Crypto Platforms
The Polymarket supply chain attack highlights the growing risk posed by compromised third-party software and services.
Rather than attacking a company’s infrastructure directly, threat actors increasingly target external vendors and software dependencies that organizations trust. Once attackers gain access to those services, they can distribute malicious code to thousands of users through legitimate websites.
For cryptocurrency platforms, these attacks can prove especially damaging because a single fraudulent wallet approval may permanently transfer digital assets to attackers.
As more financial platforms rely on third-party services to power their websites, organizations will need stronger supply chain security, continuous monitoring, and stricter controls over external code before it reaches production systems.


0 responses to “Polymarket Supply Chain Attack Costs Users $3 Million”