Polymarket to Reimburse Users After $2.94M Frontend Phishing Incident

Polymarket has confirmed that attackers gained access through a compromised third-party vendor and used it to inject malicious code into the platform’s frontend. The incident triggered a phishing attack that resulted in the loss of approximately $2.94 million in user funds.

The company announced on X that it has since removed the compromised dependency, contained the breach, and committed to fully reimbursing affected users.

Attack Impact and Wallet Losses

Blockchain analyst Specter estimated that the malicious script led to thefts from at least 11 wallets after it was deployed on the platform’s user interface.

Rather than a direct protocol exploit, the attack was classified as a phishing campaign, where the injected code tricked users into interacting with a compromised frontend, enabling attackers to drain connected wallets.

Rising Crypto Security Losses in Q2

Data from DefiLlama shows that this incident ranks as the 89th security breach of the second quarter, marking the highest quarterly count recorded on the platform.

During June alone, crypto exploits caused approximately $74.9 million in losses across 29 incidents. This figure was higher than May’s $60.5 million but significantly lower than April’s $644 million spike.

The largest exploit in June involved the Humanity Protocol, with losses of around $36 million. Other notable cases included a $4.7 million exploit on the Secret Network bridge, two separate $2.1 million incidents affecting Aztec, and a $1.7 million exploit targeting the Taiko bridge.

DefiLlama also noted that private key compromises accounted for 43% of total losses over the past 30 days, while fake proof attacks contributed 10%, and reverse MEV honeypots made up 8%.

Previous Security Incident Adds to Concerns

This is not the first security issue reported by Polymarket. About a month earlier, attackers exploited a six-year-old private key used in internal top-up operations, resulting in losses of roughly $600,000.

Security researchers including ZachXBT, PeckShield, and Bubblemaps initially detected suspicious activity linked to Polymarket’s UMA CTF Adapter contract on Polygon. Bubblemaps reported unusual withdrawals of 5,000 POL every 30 seconds, estimating total losses at around $600,000.

Later, Polymarket contributor Shantikiran Chanal confirmed that the incident stemmed from a compromised internal wallet rather than a vulnerability in the platform’s core smart contracts.

At the time, Polymarket’s vice president of engineering, Josh Stevens, stated that user funds remained secure and that all permissions tied to the compromised key had been revoked.

Growing Focus on Frontend and Key Security Risks

From a broader standpoint, the Polymarket incidents highlight a growing shift in attack vectors within the crypto ecosystem. Rather than targeting core smart contracts, attackers are increasingly exploiting frontend infrastructure, third-party dependencies, and compromised keys, which often represent weaker security points. This trend suggests that even well-audited protocols remain vulnerable when external integrations or operational keys are exposed. As the industry matures, security focus is likely to shift further toward supply-chain protection and user interface integrity, not just on-chain code auditing.