Polymarket Losses Climb to $3.1M Amid Questions Over Refund Promise

The recent security incident affecting Polymarket has become more severe after blockchain security firm AMLBot revised the estimated financial damage to approximately $3.1 million. The updated assessment comes after the prediction market platform had already pledged to fully compensate impacted users, following the discovery that attackers exploited a compromised third-party service integrated into its website.

Although Polymarket emphasized that its core infrastructure remained intact, the incident highlights the growing risks posed by external software dependencies that interact with decentralized applications.

AMLBot Revises Estimated Losses

According to AMLBot's latest investigation, cybercriminals managed to steal nearly $3.1 million worth of PUSD from 11 user wallets. The stolen assets were initially removed from the Polygon network before being rapidly transferred to Ethereum, a common tactic used by attackers to complicate asset tracing and liquidation.

The updated figure represents an increase from previous estimates of roughly $2.94 million. Earlier findings from Specter Analyst first identified the attack as a sophisticated phishing campaign that compromised at least eleven wallets holding PUSD.

The revised numbers suggest that investigators were able to identify additional stolen assets as blockchain tracking progressed, illustrating how the true financial impact of crypto-related attacks often becomes clearer only after extensive forensic analysis.

Third-Party Vendor Breach Enabled the Attack

In a statement published on June 25, Polymarket confirmed that the incident originated from the compromise of a third-party vendor rather than its own protocol. According to the company, the affected external service allowed malicious actors to inject harmful JavaScript into portions of the platform's frontend, exposing a limited group of users to fraudulent wallet interactions.

Polymarket stated that the vulnerable dependency was immediately removed after the issue was identified and confirmed that the malicious code had been fully contained.

The platform also reiterated that it is directly contacting every affected user and intends to reimburse all verified losses in full, seeking to reassure customers that those impacted by the attack will not bear the financial burden.

Frontend Exploit Targeted Wallet Approvals

Unlike attacks that exploit vulnerabilities within smart contracts, this incident appears to have focused entirely on the platform's web interface.

Frontend attacks manipulate the code displayed inside a user's browser while leaving the underlying blockchain protocol untouched. Because the website often continues to appear legitimate, users may unknowingly approve malicious wallet transactions believing they are completing normal actions on the platform.

Blockchain security company PeckShield reported that the attackers transferred the stolen assets from Polygon to Ethereum before converting them into approximately 1,893 ETH. Specter Analyst further noted that the funds were eventually consolidated into a single Ethereum wallet after the phishing campaign concluded.

The incident demonstrates how deceptive frontend attacks can bypass users' expectations by exploiting trust in a familiar interface rather than weaknesses in blockchain technology itself.

Third-Party Dependencies Remain a Growing Security Concern

The breach has renewed industry attention on the risks associated with third-party software integrations.

Even when a decentralized platform's smart contracts remain secure and unchanged, external libraries, analytics tools, or website components supplied by outside vendors can create significant attack surfaces. A single compromised dependency may provide attackers with an opportunity to inject malicious code without directly breaching the platform's blockchain infrastructure.

As decentralized applications become increasingly complex, maintaining security across every external integration has become just as important as auditing smart contracts.

Polymarket Faces a Series of Security Incidents

The latest attack is not the first security challenge faced by Polymarket.

Earlier this year, in March, blockchain investigator ZachXBT highlighted a suspected breach after more than$520,000 was reportedly drained from two Polygon smart contracts. Polymarket later clarified that user funds had not been compromised during that incident.

The company also dealt with another security event in December, when users reported suspicious login attempts and missing funds through its Discord community. Although the circumstances differed from the latest exploit, the repeated incidents have increased scrutiny surrounding the platform's overall security posture.

Meanwhile, DefiLlama previously classified the most recent exploit as the 89th cryptocurrency security breach recorded during the second quarter. That milestone reportedly made the quarter the busiest on record in terms of the total number of publicly disclosed crypto security incidents.

The growing number of attacks illustrates that modern crypto platforms must defend multiple layers simultaneously, including smart contracts, wallet integrations, authentication systems, frontend applications, and third-party service providers.

Regulatory Pressure Continues to Build

The cybersecurity incident comes as Polymarket is also facing mounting regulatory attention in the United States.

Recent reports indicate that U.S. Senators Adam Schiff and John Curtis have asked the Commodity Futures Trading Commission (CFTC) to examine allegations concerning Polymarket's promotional practices.

The lawmakers questioned whether the company relied on simulated trading platforms, staged transactions, or undisclosed influencer marketing campaigns when advertising its prediction markets. They also asked whether the CFTC possesses sufficient regulatory authority to effectively supervise prediction market platforms and safeguard consumers.

At the same time, Polymarket and Kalshi remain involved in an ongoing legal dispute over sports-related event contracts. Kentucky regulators argue that these products constitute unlicensed sports betting, while the CFTC maintains that federally regulated event contracts should fall under derivatives law rather than state gambling legislation.

The outcome of these legal proceedings could significantly influence the future regulatory framework governing sports-based prediction markets across the United States.

Security and Regulation Are Becoming Intertwined

The Polymarket incident highlights a broader trend emerging across the digital asset industry. While smart contract security has improved considerably over recent years, attackers are increasingly shifting their focus toward weaker links such as frontend applications, browser-based interactions, and third-party software providers. These attack vectors often require less technical complexity while still giving hackers access to substantial user funds.

At the same time, the timing of this breach places additional pressure on Polymarket as it navigates growing regulatory scrutiny. Repeated security incidents, regardless of whether they originate from the protocol itself or external vendors, can influence both public confidence and regulatory perception.

Going forward, platforms operating in the decentralized finance and prediction market sectors may be judged not only by the strength of their blockchain infrastructure, but also by how effectively they manage external integrations, respond to incidents, and maintain transparency with users and regulators alike.