Polymarket Hit by Supply Chain Attack Amid Regulatory Pressure

Polymarket confirms a supply chain attack affecting 11 users. Hackers stole PUSD tokens, converting them to 1,893 ETH as regulatory scrutiny intensifies.

The recent security breach marks yet another blow to Polymarket, a company already struggling under intense regulatory and public scrutiny over the past few weeks.

Polymarket reported that the incident was a “supply chain” attack, executed by compromising a third-party service provider. Hackers embedded malware into the platform’s user interface, allowing them to drain funds directly from the crypto wallets of users who had connected their addresses to the site.

Initial findings indicate that at least 11 users were affected. The stolen assets, primarily PUSD tokens, were moved from the Polygon network to Ethereum and then converted into approximately 1,893 ETH—a common tactic used to obscure the transaction trail.

The company stated that the vulnerability has been patched and the compromised third-party dependency removed. Affected users are set to receive full compensation. However, Polymarket did not specify whether it holds insurance for such incidents or if the losses will be covered using its own capital.

Another Setback During a Challenging Period

This cyberattack hits Polymarket at a time when the platform is already facing significant external pressure.

Earlier this week, a Wall Street Journal investigation revealed that the platform funded online content creators to post misleading videos featuring fake bets and fictitious winnings totaling nearly $2 million. Following the report, the company announced an internal audit of its marketing strategies.

In June, Polymarket was also caught in a controversy regarding a market tied to a potential peace agreement with Iran. It emerged that just nine anonymous wallets controlled over half of the votes in the platform’s dispute resolution process, raising serious questions about the protocol’s governance and decentralization.

Regulatory Heat Intensifies for Polymarket

The company continues to grapple with regulatory hurdles in multiple jurisdictions. Access to the platform remains restricted in France, Belgium, Poland, Italy, India, and Spain due to licensing requirements and strict gambling regulations.

This breach represents the second major security incident for Polymarket in just a few months. Back in May, the platform reported a loss of roughly $520,000 after an old cryptographic private key was compromised.

The latest attack highlights the escalating risks of third-party service compromises within the crypto sector. Rather than attacking blockchain infrastructure directly, hackers are increasingly targeting web interfaces and external software components, which often prove to be the weakest links in the security chain.