Polymarket has confirmed a phishing attack that drained nearly $2.94 million from user accounts. The core trading system was not breached. Instead, the attack came through a vulnerability at a third-party vendor, which let malicious code reach part of Polymarket’s frontend and trigger a wallet-draining scam.
Current estimates put the damage at fewer than 15 accounts, with at least 11 wallets affected. Polymarket says the malicious dependency was removed, the incident was contained, impacted users were contacted, and those users will be reimbursed.
That softens the financial blow for customers. But the bigger point is harder to ignore: Polymarket’s markets kept running, yet a weak link in outside frontend software was still enough to drain wallets. The lesson here is simple. In crypto, users do not need the core engine to fail to get hurt. A bad dependency in the interface they click can be enough.