Polymarket, a major cryptocurrency-based prediction market platform, has confirmed it will reimburse users after a supply-chain attack led to approximately $3 million in losses. The incident stemmed from a breach in a third-party frontend dependency, which allowed attackers to inject malicious JavaScript into the platform’s user interface.
The injected script manipulated the normal user experience on Polymarket’s website, tricking users into approving unauthorized blockchain transactions. While Polymarket’s backend systems and core infrastructure were not compromised, the frontend manipulation was sufficient to redirect legitimate user actions into fraudulent transfers.
Blockchain security analysts, including firms tracking the incident on-chain, report that the stolen funds were quickly moved across networks and converted into Ethereum. The attack appears to have impacted a relatively small number of wallets—fewer than 15—yet resulted in significant financial losses concentrated among those affected accounts.
Investigators describe the incident as a classic frontend supply-chain compromise, where trusted external dependencies become the entry point for injecting malicious code into otherwise legitimate web applications. Polymarket has stated it will fully reimburse affected users while continuing to investigate the compromised dependency and harden its frontend supply chain.
