Polymarket Phishing Loss Climbs to $3.1 Million After Full-Refund Pledge

The Polymarket phishing attack is now pegged at roughly $3.1 million in stolen PUSD, an increase over earlier estimates.

Blockchain intelligence firm AMLBot updated the loss figure, and 11 user wallets were affected.

The stolen funds were taken from Polygon and then bridged to Ethereum. Polymarket has pledged to refund affected users in full.

The attack did not break the core prediction-market protocol, and it did not hit every Polymarket user. The vector was a third-party vendor that fed malicious code into the front end for some people.

Polymarket Traders described the vendor and front-end mechanics behind the incident response. Polymarket Traders said a third-party vendor had been compromised and had injected malicious code into the front end for some users.

That statement matters because it points away from a simple lost-key narrative and toward the fragile software supply chain around crypto apps. The post also said the issue had been contained and the affected dependency removed.

That is the immediate remediation point readers need. The same update said impacted users were being contacted and would be refunded in full.

The article should handle that carefully: the refund promise is important, but it is not the same thing as preventing the incident. Prediction markets depend on users feeling that the interface in front of them is trustworthy.

A malicious-code incident attacks that trust at the exact moment these markets are trying to go mainstream.

Polymarket Under Attack

Polymarket users were drained of ~$3.1M in PUSD on Polygon via phishing / malicious EIP-7702 delegated execution.

Funds were converted to USDC.e via Relay, bridged to Ethereum, swapped to ETH, and consolidated at… pic.twitter.com/bG3GYZZ1D9

— AMLBot (@AMLBotHQ) June 27, 2026

Bubblemaps added affected-account and loss-size context after reviewing the incident. Bubblemaps posted that it counted fewer than 15 affected accounts and about $3 million in losses being refunded.

That estimate lines up with the broader picture of a serious but contained incident. The useful distinction is containment versus seriousness.

Fewer than 15 affected accounts is a narrow footprint compared with a broad platform compromise. Roughly $3 million in losses is still large enough to matter to users, auditors and competitors.

Bubblemaps also framed the response as strong because refunds were being made. That helps explain why the market did not need to read the incident as a death blow to Polymarket.

It should still read it as a reminder that front-end security and vendor risk are now core financial infrastructure concerns.

Here is why this lands harder than a single hack headline.

Prediction markets now sit on the same rails as the rest of crypto: stablecoin payments, fast bridges, consumer-grade apps, and a growing pile of trading volume. Polymarket runs PUSD on Polygon, and the stolen funds moved to Ethereum almost immediately.

Speed cuts both ways. The same cross-chain plumbing that makes settlement fast also lets an attacker move stolen value before most people notice.

The compromise came through a front-end vendor, not the smart contracts. As prediction markets pull in mainstream users, that attack surface grows with every dependency a team adds to the website.

CoinDesk reported the updated loss estimate and cross-chain movement in the Polymarket incident. CoinDesk said blockchain intelligence firm AMLBot updated the Polymarket phishing loss to roughly $3.1 million in PUSD.

The report said 11 user wallets were affected. It also said funds were taken from Polygon and immediately bridged to Ethereum.

That cross-chain movement is a key security detail because stolen funds can become harder to freeze or recover once they move quickly across networks. CoinDesk also reported that Polymarket had pledged full refunds.

That keeps the user-damage story separate from the system-security story. Refunds can make affected users whole, but they do not erase the concern that a vendor or front-end compromise can turn a mainstream crypto app into a phishing surface.

That is the real PCN angle.

LATEST: The Polymarket phishing attack stole roughly $3.1M in PUSD from 11 user wallets, blockchain intel firm @AMLBotHQ updated Saturday. Funds were taken from Polygon and immediately bridged to Ethereum.

Polymarket has pledged full refunds. pic.twitter.com/hPs0eYt2hX

— CoinDesk (@CoinDesk) June 27, 2026

Refunds restore the balances. They do not patch the soft underbelly that mainstream prediction markets are exposing, which is the gap between hardened protocols and the everyday front ends users actually touch.

Polymarket handled the cleanup well. The next platform that grows this fast should assume its website, not its contracts, is the door an attacker walks through.

Join the conversation!

We have no tolerance for comments containing violence, racism, profanity, vulgarity, doxing, or discourteous behavior. If a comment is spam, instead of replying to it please click the icon below and to the right of that comment. Thank you for partnering with us to maintain fruitful conversation.