Skip to content
Blockchain Posts

exploit

Polymarket frontend vendor compromise drains ~$3.1M in PUSD from 11+ user wallets

A poisoned JS dependency on Polymarket's frontend drained ~$3.1M in PUSD from 11+ wallets on June 25, swapped into ~1,893 ETH. Contracts untouched; refunds promised.

by 4 min read
exploitpolymarketpolygonsupply-chainon-chain

A malicious script injected through a compromised third-party frontend vendor drained approximately $2.94M–$3.1M in PUSD from at least 11 user wallets on Polymarket starting around 14:28 UTC on June 25, 2026, according to on-chain investigator Specter (@SpecterAnalyst), who first flagged the drain. AMLBot later updated the running total to ~$3.1M. Polymarket's smart contracts on Polygon were not compromised — the attack lived entirely in the browser. The platform removed the bad dependency, pledged full refunds, and is dealing with the incident in parallel with a separate CFTC inquiry.

What happened

A poisoned JavaScript dependency loaded by Polymarket's web frontend served a phishing flow to some users for an unknown window before Specter's first public post at 14:28 UTC. The script targeted approvals and transfers of PUSD, the platform's USD-pegged stablecoin issued on Polygon. Approximately 15 minutes after Specter's alert, Polymarket acknowledged the breach publicly and said it had contained the issue, removed the affected vendor dependency, and would fully refund impacted users.

Specter's initial tally was $2.94M across at least 11 wallets; AMLBot's later trace updated losses to about $3.1M with the same victim count. One outlet describes the impact as "fewer than 15 accounts" — consistent with the 11 figure.

Mechanism — supply-chain frontend compromise

This was not a smart-contract exploit and not a private-key compromise. The attacker poisoned a third-party frontend dependency loaded by polymarket.com. When a victim opened the site, their browser executed the malicious code as if it were Polymarket's own:

  1. The injected script intercepted wallet interaction flows in the user's browser session.
  2. Victims were prompted to sign transactions that approved or moved PUSD to attacker-controlled paths.
  3. Stolen PUSD was bridged from Polygon → Ethereum and swapped on Ethereum into ≈ 1,893 ETH.
  4. Proceeds were consolidated on Ethereum at the address Specter identified as the attacker's consolidation wallet (see On-chain trail).

The on-chain contracts that settle Polymarket markets — deployed on Polygon — were never called by the attacker. Only individual users who interacted with the poisoned site during the attack window lost funds.

On-chain trail

  • Attacker consolidation address (Ethereum): 0xe65b1C586757c5510B60F998Eebb14C1eF71E1eD, per Specter's public attribution.
  • Fund flow: PUSD drained on Polygon → bridged to Ethereum → swapped into approximately 1,893 ETH → consolidated at the address above.
  • AMLBot (@AMLBotHQ) independently traced the same flow and revised the total to ~$3.1M across 11 wallets.

We could not independently confirm a Polymarket-issued post-mortem with deeper detail at the time of writing; the public attribution chain at this point is Specter (initial) and AMLBot (revised tally), both posted on X.

Numbers

- Loss (initial Specter tally)   : ~$2.94M
- Loss (AMLBot revised)          : ~$3.1M
- Affected wallets               : at least 11
- Token drained                  : PUSD (Polygon)
- Asset consolidated             : ~1,893 ETH on Ethereum
- Chain of attack                : browser frontend (no contract compromise)
- Vector                         : compromised third-party JS vendor dependency
- Polymarket smart contracts     : not touched
- First public alert             : 2026-06-25, ~14:28 UTC (Specter)
- Polymarket acknowledgement     : ~15 min after Specter's post
- Refund commitment              : full, per Polymarket statement

Impact and what to watch

  1. Refund execution. Polymarket has stated affected users will be made whole; track whether the refund process actually completes for all 11+ wallets without exclusions, and on what timeline.
  2. Vendor identification. As of writing, Polymarket has named the compromise as coming from a "third-party vendor" but has not publicly identified which dependency was poisoned. Naming the vendor matters because the same dependency may be loaded by other dapps.
  3. Compromised approvals still live. Any wallet that interacted with the site during the attack window should review token approvals for PUSD (and any other ERC-20 it signed during the window) on Polygon and revoke anything granted to addresses other than known Polymarket contracts.
  4. CFTC inquiry in parallel. The hack lands while Polymarket is already subject to a CFTC probe over US-resident market access. The two are unrelated by content but compound the platform's regulatory exposure.

Context — the supply-chain category is the dominant L2 frontend risk now

A frontend supply-chain compromise of this shape — poisoned third-party script, phishing flow injected client-side, contracts untouched — is the same class as the Curve frontend compromise of August 2022 (front-end DNS hijack), the BadgerDAO Cloudflare incident of 2021, and the steady drumbeak of wallet-drainer phishing kits distributed via compromised JS CDNs in 2024–2025. The category has not gone away; if anything, 2026 has shown contract surfaces hardening while browser surface has stayed soft. The pattern: when contracts pass audit, the next softest target is the build pipeline that delivers the JavaScript loaded next to them.

Polymarket is the third such platform-level incident on the site in under a year, per several outlets covering the disclosure. Users running script-blocking extensions and hardware-wallet "blind signing" off were less likely to have been drained; the population at risk was, as is typical for this category, users on default browser configurations interacting through the site UI.

Sources

Related stories