arrow back

Hackers Stole $3.1 Million from Polymarket Users

28 Jun 2026

Hackers stole $3.1 million from Polymarket users in a Polygon phishing attack. Learn how it happened and what traders should do next.

Hackers stole about $3.1 million from Polymarket users during a phishing attack on the Polygon network, and the platform promised full reimbursement. The hardest hit were traders who held PUSD and signed requests through the service interface.

The incident became known on June 27, 2026, thanks to AMLBot data. According to their estimate, the attackers used the malicious delegated execution mechanism EIP-7702, converted PUSD into USDC.e via Relay, moved the assets from Polygon to Ethereum, and then swapped them for ETH. In the end, about 1,891.9 ETH ended up on new addresses, and the largest of them controls approximately 1,788.5 ETH. At the ETH rate of $1,570.36, that is nearly $2.97 million and $2.81 million respectively.

According to BleepingComputer, the attack is linked to June 25, 2026, and Polymarket’s backend and servers were not compromised. The problem came through a third-party vendor and a malicious script in the web interface. This is an important detail, because for the user everything looked like a normal website, while the risk came not from the network itself, but from the supply chain.

Why did this attack hit Polymarket users specifically?

It all comes down to trust in the interface. A person opens the site, sees familiar buttons, signs a request, and at that very moment malicious code slips in the wrong approval. In simple terms, the attacker did not break the blockchain; they replaced what the user saw.

Polymarket stated directly that, according to its data, the cause of the incident was a compromise of a third-party provider. The company said it had contained the issue, removed the compromised dependency, and started contacting affected users. It also promised to fully compensate the losses. This is not the first blow to the platform’s reputation, and against this backdrop we also recall the recent story of an Ethereum MEV bot losing up to $15 million, where it was also clear how quickly funds can change addresses.

Market reaction

AMLBot were the first to describe the scheme involving PUSD, USDC.e, Ethereum, and consolidation across three new addresses. PeckShield also confirmed a large-scale phishing campaign. They estimated the losses at about $3 million and said the attacker moved the funds from Polygon to Ethereum and swapped them for about 1,893 ETH.

"It appears that the phishing campaign targeted Polymarket users, who lost about $3 million in PUSD. The attacker moved the funds from Polygon to Ethereum and swapped them for approximately 1,893 ETH," PeckShield said.

There is another important detail. According to Specter and Bubblemaps, at least 11 wallets were affected, and in total fewer than 15 accounts. If you roughly divide $3.1 million by 11 victims, that comes to about $282,000 per wallet. This is not a small theft from a random account. This is a targeted strike against users who had significant sums on the service.

  • Losses: about $3.1 million.

  • Attack network: Polygon, then Ethereum.

  • Asset: PUSD, then USDC.e and ETH.

  • AMLBot estimate: 1,891.9 ETH across three addresses.

  • Largest wallet: about 1,788.5 ETH.

  • According to researchers, at least 11 wallets were affected.

What does this mean for investors?

For those who actively trade on a prediction market or keep funds there, the main takeaway is very simple: you need to check not only the network, but also the permissions in your wallet. EIP-7702, which appeared back on May 7, 2024, opens up new delegation possibilities, but also new doors for scammers. According to the specification, a single signed authorization tuple can give persistent execution control over an account if the user does not understand what exactly they are confirming.

For Ukrainian users, there is also a practical lesson here. If you work with DeFi, prediction markets, or any site where you sign transactions, it is worth periodically reviewing token approvals and revoking unnecessary ones. This is not paranoia. It is basic security hygiene. By the way, similar attacks often hit people who have not checked their permissions for a long time, rather than those who trade every day.

Another nuance that is hard to ignore: Polymarket already had a difficult backdrop. The platform had previously announced plans to tighten geographic restrictions and AML controls, and in May 2026 the CFTC filed a complaint against Google engineer Michele Spagnuolo, accusing him of insider trading on Polymarket with profits of about $1.2 million. In other words, pressure from both security and regulators is rising at the same time.

Frequently asked questions

How much money did Polymarket users lose?

According to the available data, about $3.1 million in PUSD. AMLBot and PeckShield described a scheme in which the funds passed through Polygon, Ethereum, and were consolidated on new addresses.

Was the Polymarket platform itself hacked?

According to BleepingComputer, no. This was an attack through a third-party provider and a malicious script in the web interface, not a compromise of Polymarket’s servers or backend.

What should users do after such an attack?

First of all, check and revoke unnecessary approvals in your wallet. If you use services that require transaction signatures, it is better to look again at exactly what you are signing, especially when the site asks for unusual permissions.

Polymarket promised compensation, but the story itself has already become another warning sign for everyone working with on-chain services: one malicious script can be very costly. If you need to quickly cash out crypto into hryvnia, you can sell USDT TRC20 for hryvnia to a card without extra steps or long waits.

This material is not financial advice. Cryptocurrency trading involves significant risks. Part of this text was prepared with the help of artificial intelligence based on public sources and reviewed by our editorial team.