PUSD hack drains $3.1M from Polymarket wallets" - front-loads PUSD

Hackers drained roughly $3.1 million in Polymarket's PUSD token from 11 user wallets in a phishing attack that bridged the stolen funds from Polygon to Ethereum, according to blockchain intelligence firm AMLBot's Saturday update on X. Initial estimates from PeckShield and Specter Analyst had placed losses near $2.94 million and roughly 1,893 ETH; AMLBot's revised figure is now the working number for the incident.

Polymarket said a compromised third-party vendor injected a malicious script into its frontend and pledged full refunds to affected PUSD holders. The platform said it contained the breach and removed the affected dependency, though the prediction market declined further comment when reached by CoinDesk on Saturday.

Why it matters

This is Polymarket's third reported security incident in four months. In March, on-chain investigator ZachXBT flagged more than $520,000 drained from two Polygon smart contracts; the platform then said funds were safe. In December, users reported missing balances and suspicious logins on its Discord channel, which the company blamed on an unnamed third-party login provider. The recurring failure mode, in each case, is a third-party integration rather than Polymarket's own contracts, a structural risk the platform has yet to eliminate.

The attack also lands while Polymarket is reportedly under federal scrutiny. The Wall Street Journal reported a probe into allegedly deceptive social media promotions featuring users touting winnings, adding a regulatory front to the security one.

Market impact

The refund commitment softens the immediate hit to retail PUSD holders, but it does not address the pattern: every recent breach has traced back to an external vendor or login provider, not to Polymarket's smart contracts. For a venue whose core pitch is high-trust price discovery on real-world events, repeated trust-side failures at the same vendor boundary are the harder narrative to outrun. The next test is whether Polymarket can isolate its frontend from third-party dependencies entirely, or whether the next breach will hit through the same seam.