Prediction market platform Polymarket says it will fully compensate affected users after a compromised third-party vendor injected malicious code into its front-end. This has exposed some users to a phishing attack that blockchain security researchers estimate has been nearly exhausted 3 million dollars.
In a statement published on June 25Polymarket said it discovered the compromised vendor earlier today, removed the affected dependency, and contained the incident. The company added that it is communicating with the affected users and will refund their money in full.
The incident appears to have only affected users who interacted with the compromised front-end during the attack window rather than the platform’s underlying smart contracts.
A malicious script was inserted into a third-party compromise
According to Polymarket, the attack originated from a compromised third-party vendor who injected malicious script into parts of the platform’s front-end.
The company said it has since removed the affected dependency and contained the incident. However, it did not reveal the identity of the hacked vendor or issue a detailed technical post-mortem report.
The platform confirmed that it is working directly with affected users while it continues its investigations.
Security companies estimate losses at about $3 million
Blockchain security firm PeckShield reported that the incident appears to be a phishing campaign targeting Polymarket users.
According to their findings, the attackers were almost exhausted $3 million in PUSD From more than 11 wallets for victims Before transferring the stolen funds from Polygon to Ethereum.
The attacker then exchanged the proceeds virtually, the researchers said 1,893 Ethereumand consolidate assets into a monitored Ethereum address.
Polymarket has not publicly confirmed estimated losses or the number of portfolios affected.
The platform promises full payment
Unlike many phishing incidents that leave users liable for losses, Polymarket said it intends to compensate everyone affected by the attack.
The company said it is contacting affected users directly while it continues to investigate the breach.
No timeline has been provided for the reimbursement process or a full report on the incident has been released.
Final summary
- Polymarket says a compromised third-party vendor injected malicious code into the front-end and pledges to compensate affected users.
- Security researchers estimate that the phishing campaign stole approximately $3 million before the funds were transferred to Ethereum and transferred to Ethereum.
