Polymarket (Supply-Chain Attack) Hack 2026 — $3M Exploit Analysis

A supply-chain attack on Polymarket via a compromised third-party frontend vendor injected malicious JavaScript that drained ~$3.1M PUSD across 11+ wallets, with funds bridged Polygon to Ethereum and swapped to ~1,893 ETH.

Details

Full Description

On June 25, 2026, Polymarket, a leading prediction market, was hit by a supply-chain attack in which a compromised third-party frontend vendor injected malicious JavaScript into the Polymarket web application. The malicious script acted as a wallet drainer: when affected users connected their wallets to the Polymarket frontend, the injected JavaScript intercepted signing requests and tricked users into approving malicious transactions that transferred their PUSD balances and connected token approvals to attacker-controlled addresses.\n\nThe attack was a classic software supply-chain compromise rather than a smart contract exploit. The third-party vendor — which supplied a component embedded in the Polymarket frontend — had its own build or distribution pipeline compromised, allowing the attacker to substitute a legitimate script with a malicious one that was then served to end users through the official Polymarket domain. Because the malicious code ran in the context of the trusted Polymarket origin, browser security models offered no protection, and users had no easy way to distinguish the drainer from legitimate application behavior. At least 11 wallets were drained for a combined approximately $3.1M in PUSD.\n\nOnce the PUSD was extracted on Polygon, the attacker bridged the funds from Polygon to Ethereum and swapped them into approximately 1,893 ETH through decentralized exchanges. The conversion to ETH was a deliberate laundering choice, since ETH is far harder to freeze than a centralized stablecoin and can be routed through mixers. The incident underscored the persistent risk that frontend supply chains pose even to protocols with otherwise sound on-chain contracts.

Laundering Analysis

Stolen PUSD was bridged from Polygon to Ethereum and swapped for approximately 1,893 ETH via decentralized exchanges. The ETH conversion was chosen to evade stablecoin freeze mechanisms. No recovery has been reported at the time of writing; the funds are presumed to be in preparation for further mixing or OTC disposal.

Sources

Transaction Hashes

Back to Browse