{"id":33127,"date":"2026-06-26T09:32:30","date_gmt":"2026-06-26T09:32:30","guid":{"rendered":"https:\/\/bitunikey.com\/news\/polymarket-to-refund-users-after-2-94m-frontend-phishing-attack\/"},"modified":"2026-06-26T09:32:45","modified_gmt":"2026-06-26T09:32:45","slug":"polymarket-to-refund-users-after-2-94m-frontend-phishing-attack","status":"publish","type":"post","link":"https:\/\/bitunikey.com\/news\/polymarket-to-refund-users-after-2-94m-frontend-phishing-attack\/","title":{"rendered":"Polymarket to refund users after $2.94M frontend phishing attack"},"content":{"rendered":"<p><\/p>\n<div class=\"post-detail__content blocks\">\n<p class=\"is-style-lead\">Polymarket has confirmed that attackers compromised a third party vendor and used the access to inject malicious code into the platform\u2019s frontend, leading to a phishing attack that drained an estimated $2.94 million from users.<\/p>\n<div id=\"cn-block-summary-block_ac3537d078c0762b5eacc3aaf5d21559\" class=\"cn-block-summary\">\n<div class=\"cn-block-summary__nav tabs\">\n        <span class=\"tabs__item is-selected\">Summary<\/span>\n    <\/div>\n<div class=\"cn-block-summary__content\">\n<ul class=\"wp-block-list\">\n<li>Polymarket said a third party vendor compromise enabled a phishing attack that stole about $2.94 million from at least 11 user wallets.<\/li>\n<li>The platform removed the malicious dependency, contained the incident and said all affected users will receive full refunds.<\/li>\n<li>DefiLlama recorded the attack as the 89th crypto security breach of the second quarter, the highest quarterly total by incident count on its records.<\/li>\n<\/ul><\/div>\n<\/div>\n<p><!-- .cn-block-summary --><\/p>\n<p>Polymarket disclosed on X that it has removed the affected dependency, contained the incident, and will fully reimburse affected users.\u00a0<\/p>\n<figure class=\"wp-block-embed is-type-rich is-provider-x wp-block-embed-x\">\n<div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">This morning we discovered a 3rd party vendor had been compromised, injecting a malicious script into our frontend for some users. We&#8217;ve contained it &amp; removed the affected dependency. We&#8217;re contacting impacted users &amp; refunding them in full.<\/p>\n<p>\u2014 Polymarket Traders (@PolymarketTrade) <a rel=\"nofollow\" target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/x.com\/PolymarketTrade\/status\/2070155882906730671?ref_src=twsrc%5Etfw\">June 25, 2026<\/a><\/p><\/blockquote>\n<\/div>\n<\/figure>\n<p>Blockchain analyst Specter estimated that the attack drained funds from at least 11 wallets after the malicious script appeared on the platform\u2019s frontend.<\/p>\n<figure class=\"wp-block-embed is-type-rich is-provider-x wp-block-embed-x\">\n<div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">It appears there may be a phishing attack targeting Polymarket users, with estimated losses of $2.94M so far.<\/p>\n<p>The attacker has drained funds from 11+ victim wallets holding PUSD, swapped the stolen assets for ETH, and consolidated the proceeds into the following address:\u2026 <a rel=\"nofollow\" target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/t.co\/6WfS0JhdDG\">pic.twitter.com\/6WfS0JhdDG<\/a><\/p>\n<p>\u2014 Specter (@SpecterAnalyst) <a rel=\"nofollow\" target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/x.com\/SpecterAnalyst\/status\/2070152064051605517?ref_src=twsrc%5Etfw\">June 25, 2026<\/a><\/p><\/blockquote>\n<\/div>\n<\/figure>\n<h2 class=\"wp-block-heading\">Frontend compromise targets user wallets<\/h2>\n<p>Specter identified the attack as a phishing campaign rather than a protocol exploit. The analyst said the injected script enabled attackers to steal funds from connected wallets after users interacted with the compromised interface.<\/p>\n<p>    <!-- .cn-block-related-link --><\/p>\n<p>DefiLlama <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/defillama.com\/hacks\" target=\"_blank\" rel=\"nofollow\">recorded<\/a> the incident as the 89th reported crypto security breach of the second quarter, making it the highest quarterly total by incident count in the platform\u2019s records.<\/p>\n<p>DefiLlama also reported $74.9 million in losses across 29 crypto exploits during June. That total exceeded May\u2019s $60.5 million but remained well below April\u2019s $644 million.<\/p>\n<p>The platform listed the $36 million Humanity Protocol exploit as June\u2019s largest attack. Other major incidents included a $4.7 million exploit involving the Secret Network bridge, two separate $2.1 million exploits affecting Aztec, and a $1.7 million bridge exploit on Taiko.<\/p>\n<p>DefiLlama reported that private key compromises accounted for 43% of exploit losses over the past 30 days. Fake proof exploits represented 10% of losses, while reverse MEV honeypots accounted for 8%.<\/p>\n<h2 class=\"wp-block-heading\">Previous exploit traced to compromised private key<\/h2>\n<p>Polymarket disclosed a separate security incident about a month earlier after attackers exploited a six year old private key used for internal top up operations and stole about $600,000.<\/p>\n<p>Security researchers, including ZachXBT, PeckShield, and Bubblemaps, initially flagged suspicious activity involving Polymarket\u2019s UMA CTF Adapter contract on Polygon. Bubblemaps reported that attackers withdrew 5,000 POL every 30 seconds before estimating total losses at roughly $600,000.<\/p>\n<p>Polymarket protocol contributor Shantikiran Chanal later attributed that incident to a compromised wallet used for internal operations rather than a vulnerability in the platform\u2019s contracts or core infrastructure.\u00a0<\/p>\n<p>Josh Stevens, the company\u2019s vice president of engineering, stated at the time that user funds and smart contracts remained secure and that all permissions linked to the compromised key had been revoked.<\/p>\n<p>    <!-- .cn-block-related-link --><\/p>\n<\/p><\/div>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Polymarket has confirmed that attackers compromised a third party vendor and used the access to inject malicious code into the platform\u2019s frontend, leading to a phishing attack that drained an&hellip;<\/p>\n","protected":false},"author":1,"featured_media":29977,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-33127","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cryptocurrency"],"_links":{"self":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/33127","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/comments?post=33127"}],"version-history":[{"count":1,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/33127\/revisions"}],"predecessor-version":[{"id":33128,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/33127\/revisions\/33128"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/media\/29977"}],"wp:attachment":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/media?parent=33127"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/categories?post=33127"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/tags?post=33127"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}