Verify a decision

{"actor":"system:backfill","investigation_id":"7a7d6f74-f219-4c4c-8b8c-4a9c8ef4fbe9","kind":"publish","page_slug":"polymarket-june-2026-supply-chain-attack","published_at":"2026-06-28T17:08:25.953Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Polymarket — June 2026 Supply Chain Attack","sections":[{"content":"On June 25, 2026, Polymarket confirmed a supply chain attack in which a compromised third-party frontend vendor was used to inject malicious JavaScript into the platform's website. The script ran silently in users' browsers and tricked connected wallets into approving or signing transactions that drained their pUSD balances. Polymarket's core smart contracts were not breached. Security analysts from PeckShield, SpecterAnalyst, and GoPlus independently tracked on-chain activity confirming the scope of the theft. AMLBot placed the total loss at $3.1 million across at least 11 confirmed user wallets on the Polygon network. Polymarket declined to publicly identify the compromised vendor.","heading":"Attack Overview","severity":"critical","sources":[{"credibility":2,"name":"Polymarket customers lose $3 million in supply-chain attack — BleepingComputer","type":"news_article","url":"https://www.bleepingcomputer.com/news/security/polymarket-customers-lose-3-million-in-supply-chain-attack/"},{"credibility":2,"name":"AMLBot Puts Polymarket Phishing Toll at $3.1M Across 11 Wallets — The Defiant","type":"news_article","url":"https://thedefiant.io/news/hacks/amlbot-polymarket-phishing-3-1-million-11-wallets-ethereum"},{"credibility":3,"name":"Polymarket Hack Drains $3M in PUSD via Frontend Exploit — Our Crypto Talk","type":"news_article","url":"https://ourcryptotalk.com/news/polymarket-hack-pusd-frontend-exploit"},{"credibility":2,"name":"Polymarket confirms breach: users find their accounts hacked, $3 million drained — Cybernews","type":"news_article","url":"https://cybernews.com/security/polymarket-hit-by-cyberattack-via-third-party-dependency/"}]},{"content":"Attackers exploited a third-party JavaScript dependency loaded directly into Polymarket's frontend. When users with connected wallets visited the site during the attack window, the injected script triggered wallet signature requests that authorized unauthorized transfers of pUSD, Polymarket's native collateral token launched in April 2026 and backed 1:1 by USDC on Polygon. The stolen pUSD was subsequently bridged from Polygon to Ethereum. On-chain analysts identified the proceeds being consolidated into a single Ethereum address (0xe65b1C586757c5510B60F998Eebb14C1eF71E1eD) after being swapped for approximately 1,893 ETH. The attacker's Polygon-to-Ethereum bridge movement was independently tracked by PeckShield, SpecterAnalyst, and GoPlus. No vulnerability in Polymarket's smart contract layer was identified.","heading":"Attack Mechanism and Fund Movement","severity":"critical","sources":[{"credibility":3,"name":"Polymarket Hack Drains $3M in PUSD via Frontend Exploit — Our Crypto Talk","type":"news_article","url":"https://ourcryptotalk.com/news/polymarket-hack-pusd-frontend-exploit"},{"credibility":2,"name":"Polymarket updates hack loss to $3.1M, pledges full refunds — Crypto Briefing","type":"news_article","url":"https://cryptobriefing.com/polymarket-hack-loss-3m-full-refunds/"},{"credibility":2,"name":"AMLBot Puts Polymarket Phishing Toll at $3.1M Across 11 Wallets — The Defiant","type":"news_article","url":"https://thedefiant.io/news/hacks/amlbot-polymarket-phishing-3-1-million-11-wallets-ethereum"}]},{"content":"Polymarket acknowledged the breach on June 25, 2026, stating it had moved quickly to remove the affected third-party dependency. The platform committed to making every affected user whole through full refunds and began contacting impacted users directly. Polymarket did not publicly identify the compromised vendor. The platform stated its smart contracts and core infrastructure were unaffected. No law enforcement referral or public post-mortem identifying the specific vendor or attack vector details had been published as of late June 2026.","heading":"Platform Response and Refund Pledge","severity":"high","sources":[{"credibility":2,"name":"Polymarket updates hack loss to $3.1M, pledges full refunds — Crypto Briefing","type":"news_article","url":"https://cryptobriefing.com/polymarket-hack-loss-3m-full-refunds/"},{"credibility":2,"name":"Polymarket Users Hit by $3M Frontend Exploit; Platform Vows Refunds — Crypto Times","type":"news_article","url":"https://www.cryptotimes.io/2026/06/25/polymarket-users-hit-by-3m-frontend-exploit-platform-vows-refunds/"},{"credibility":2,"name":"Polymarket Hit by $3 Million Frontend Exploit in Supply Chain Attack — Cyberinsider","type":"news_article","url":"https://cyberinsider.com/polymarket-suffers-supply-chain-attack-leading-to-3-million-crypto-theft/"}]},{"content":"Approximately five weeks before the June 2026 supply chain attack, on May 22, 2026, Polymarket suffered a separate security incident. On-chain investigator ZachXBT flagged suspicious activity in which an attacker exploited a compromised private key belonging to an internal Polymarket operations wallet linked to the platform's rewards payout system. The attacker withdrew funds in batches of approximately 5,000 POL every 30 seconds. Reports placed losses at between $520,000 and $700,000. Polymarket stated that user funds and market resolutions remained safe and attributed the incident to a private key compromise of a six-year-old internal wallet, not a smart contract vulnerability. Polygon Labs' CTO confirmed that Polymarket's contracts and user funds were safe. CoinDesk reported ZachXBT's initial $520,000 estimate on May 22, 2026.","heading":"Prior Security Incident — May 2026 Private Key Compromise","severity":"high","sources":[{"credibility":2,"name":"ZachXBT flags $520K Polymarket exploit on Polygon, team says funds are safe — CoinDesk","type":"news_article","url":"https://www.coindesk.com/markets/2026/05/22/zachxbt-flags-usd520k-polymarket-exploit-on-polygon-team-says-funds-are-safe"},{"credibility":2,"name":"Polymarket Says No Contract Exploit After Compromised Private Key Drains $573K — BeInCrypto","type":"news_article","url":"https://beincrypto.com/polymarket-exploit-with-520000-in-losses/"},{"credibility":2,"name":"Polymarket investigates private key compromise, no contract exploit found — Crypto Briefing","type":"news_article","url":"https://cryptobriefing.com/polymarket-private-key-compromise-investigation/"},{"credibility":2,"name":"$2.94M Gone: Polymarket Phishing Attack Marks Second Breach in a Month — Cryptonomist","type":"news_article","url":"https://en.cryptonomist.ch/2026/06/26/polymarket-phishing-attack-loss/"}]},{"content":"Concurrently with the June 2026 supply chain attack, the Commodity Futures Trading Commission was reported to be conducting a fresh investigation into Polymarket's marketing practices. CNBC reported on June 26, 2026, that the CFTC had opened an inquiry, citing a source with knowledge of the matter who did not disclose when the investigation began. The probe followed a Wall Street Journal report published on June 20, 2026, which alleged that approximately 70 percent of promotional videos reviewed showcased fake winning bets, with influencers appearing to win on the platform without wagering real money. Senators urged the CFTC to investigate the alleged staged trades, simulated websites, and undisclosed influencer promotions. Polymarket stated it was reviewing all active promotional content for compliance with company policies and applicable regulatory disclosure requirements. This regulatory action is separate from the security breach. Notably, both the CFTC and the Department of Justice had previously dropped inquiries into Polymarket in July 2025. Polymarket had launched a CFTC-regulated exchange for U.S. customers in December 2025.","heading":"CFTC Investigation and Deceptive Marketing Allegations","severity":"high","sources":[{"credibility":1,"name":"CFTC is conducting an investigation into Polymarket, source says — CNBC","type":"regulatory","url":"https://www.cnbc.com/2026/06/26/cftc-is-conducting-an-investigation-into-polymarket-source-says.html"},{"credibility":2,"name":"CFTC opens fresh investigation into Polymarket's marketing practices — Crypto Briefing","type":"news_article","url":"https://cryptobriefing.com/cftc-probes-polymarket-prediction-market/"},{"credibility":2,"name":"US Senators Urge CFTC To Probe Polymarket Over Alleged Deceptive Marketing — Bitcoin World","type":"news_article","url":"https://bitcoinworld.co.in/us-senators-cftc-polymarket-investigation/"}]},{"content":"According to data tracked by DefiLlama, the Polymarket breach was the 89th recorded security incident in decentralized finance in the second quarter of 2026, which was reported as the highest quarterly count on record. The June 2026 attack illustrates systemic risks associated with frontend supply chain dependencies in DeFi platforms: because smart contracts are immutable and auditable, attackers have increasingly targeted the mutable, third-party-dependent frontend layer. The Polymarket incident is consistent with a broader class of attacks in which malicious JavaScript is injected through compromised CDN providers, npm packages, or vendor scripts.","heading":"Broader DeFi Security Context","severity":"medium","sources":[{"credibility":2,"name":"Polymarket Hack Exposes Users As Crypto Exploit Losses Rise — The Coin Republic","type":"news_article","url":"https://www.thecoinrepublic.com/2026/06/27/polymarket-hack-exposes-users-as-crypto-exploit-losses-rise/"},{"credibility":3,"name":"Polymarket $3M Hack: A Supply Chain Attack, Not a Smart Contract Exploit — Spazio Crypto","type":"news_article","url":"https://en.spaziocrypto.com/hack/polymarket-hack-3-million-supply-chain-attack/"}]}],"sources_used":[{"credibility":2,"name":"Polymarket customers lose $3 million in supply-chain attack — BleepingComputer","type":"news_article","url":"https://www.bleepingcomputer.com/news/security/polymarket-customers-lose-3-million-in-supply-chain-attack/"},{"credibility":2,"name":"AMLBot Puts Polymarket Phishing Toll at $3.1M Across 11 Wallets, Funds Traced to Ethereum — The Defiant","type":"news_article","url":"https://thedefiant.io/news/hacks/amlbot-polymarket-phishing-3-1-million-11-wallets-ethereum"},{"credibility":3,"name":"Polymarket Hack Drains $3M in PUSD via Frontend Exploit — Our Crypto Talk","type":"news_article","url":"https://ourcryptotalk.com/news/polymarket-hack-pusd-frontend-exploit"},{"credibility":2,"name":"$2.94M Gone: Polymarket Phishing Attack Marks Second Breach in a Month — Cryptonomist","type":"news_article","url":"https://en.cryptonomist.ch/2026/06/26/polymarket-phishing-attack-loss/"},{"credibility":2,"name":"Polymarket updates hack loss to $3.1M, pledges full refunds to affected users — Crypto Briefing","type":"news_article","url":"https://cryptobriefing.com/polymarket-hack-loss-3m-full-refunds/"},{"credibility":1,"name":"CFTC is conducting an investigation into Polymarket, source says — CNBC","type":"regulatory","url":"https://www.cnbc.com/2026/06/26/cftc-is-conducting-an-investigation-into-polymarket-source-says.html"},{"credibility":2,"name":"CFTC opens fresh investigation into Polymarket's marketing practices — Crypto Briefing","type":"news_article","url":"https://cryptobriefing.com/cftc-probes-polymarket-prediction-market/"},{"credibility":2,"name":"US Senators Urge CFTC To Probe Polymarket Over Alleged Deceptive Marketing — Bitcoin World","type":"news_article","url":"https://bitcoinworld.co.in/us-senators-cftc-polymarket-investigation/"},{"credibility":2,"name":"ZachXBT flags $520K Polymarket exploit on Polygon, team says funds are safe — CoinDesk","type":"news_article","url":"https://www.coindesk.com/markets/2026/05/22/zachxbt-flags-usd520k-polymarket-exploit-on-polygon-team-says-funds-are-safe"},{"credibility":2,"name":"Polymarket Says No Contract Exploit After Compromised Private Key Drains $573K — BeInCrypto","type":"news_article","url":"https://beincrypto.com/polymarket-exploit-with-520000-in-losses/"},{"credibility":2,"name":"Polymarket investigates private key compromise, no contract exploit found — Crypto Briefing","type":"news_article","url":"https://cryptobriefing.com/polymarket-private-key-compromise-investigation/"},{"credibility":2,"name":"Polymarket Users Hit by $3M Frontend Exploit; Platform Vows Refunds — Crypto Times","type":"news_article","url":"https://www.cryptotimes.io/2026/06/25/polymarket-users-hit-by-3m-frontend-exploit-platform-vows-refunds/"},{"credibility":2,"name":"Polymarket Hit by $3 Million Frontend Exploit in Supply Chain Attack — Cyberinsider","type":"news_article","url":"https://cyberinsider.com/polymarket-suffers-supply-chain-attack-leading-to-3-million-crypto-theft/"},{"credibility":2,"name":"Polymarket Hack Exposes Users As Crypto Exploit Losses Rise — The Coin Republic","type":"news_article","url":"https://www.thecoinrepublic.com/2026/06/27/polymarket-hack-exposes-users-as-crypto-exploit-losses-rise/"},{"credibility":3,"name":"Polymarket $3M Hack: A Supply Chain Attack, Not a Smart Contract Exploit — Spazio Crypto","type":"news_article","url":"https://en.spaziocrypto.com/hack/polymarket-hack-3-million-supply-chain-attack/"},{"credibility":3,"name":"Hacker Steals $700,000 from Polymarket via Compromised Private Key — Quasa","type":"news_article","url":"https://quasa.io/media/hacker-steals-700-000-from-polymarket-via-compromised-private-key"}],"summary":"On June 25, 2026, Polymarket, a prominent prediction market platform, suffered a supply chain attack through a compromised third-party frontend vendor. Attackers injected malicious JavaScript that drained approximately $3.1 million in pUSD from at least 11 user wallets on Polygon, with stolen funds bridged to Ethereum and converted to roughly 1,893 ETH. The incident occurred against a backdrop of a concurrent CFTC marketing-fraud investigation and a prior private key compromise in May 2026.","timeline":[{"date":"2025-07-01","event":"CFTC and DOJ drop prior inquiries into Polymarket.","source":"Crypto Briefing","source_url":"https://cryptobriefing.com/cftc-probes-polymarket-prediction-market/"},{"date":"2025-12-01","event":"Polymarket launches CFTC-regulated exchange for U.S. customers.","source":"Crypto Briefing","source_url":"https://cryptobriefing.com/cftc-probes-polymarket-prediction-market/"},{"date":"2026-04-01","event":"Polymarket launches pUSD, an ERC-20 stablecoin backed 1:1 by USDC, as primary collateral on Polygon.","source":"Our Crypto Talk","source_url":"https://ourcryptotalk.com/news/polymarket-hack-pusd-frontend-exploit"},{"date":"2026-05-22","event":"ZachXBT flags suspicious on-chain activity on Polygon linked to Polymarket. Attacker exploits a compromised private key belonging to an internal operations wallet and drains between $520,000 and $700,000. Polymarket states user funds and contracts are safe.","source":"CoinDesk","source_url":"https://www.coindesk.com/markets/2026/05/22/zachxbt-flags-usd520k-polymarket-exploit-on-polygon-team-says-funds-are-safe"},{"date":"2026-06-20","event":"The Wall Street Journal publishes an investigation alleging Polymarket used influencers in promotional videos depicting fake winning bets with no real money wagered; approximately 70 percent of videos reviewed contained allegedly deceptive content.","source":"Crypto Briefing","source_url":"https://cryptobriefing.com/cftc-probes-polymarket-prediction-market/"},{"date":"2026-06-25","event":"Supply chain attack occurs. A compromised third-party frontend vendor injects malicious JavaScript into Polymarket's website. At least 11 user wallets are drained of approximately $2.94–$3.1 million in pUSD on Polygon. Stolen funds are bridged to Ethereum and swapped for approximately 1,893 ETH, consolidated into address 0xe65b1C586757c5510B60F998Eebb14C1eF71E1eD.","source":"Crypto Briefing / Our Crypto Talk","source_url":"https://cryptobriefing.com/polymarket-hack-loss-3m-full-refunds/"},{"date":"2026-06-25","event":"Polymarket confirms the breach, removes the compromised dependency, and pledges full refunds to affected users. The compromised vendor is not named publicly.","source":"Crypto Times","source_url":"https://www.cryptotimes.io/2026/06/25/polymarket-users-hit-by-3m-frontend-exploit-platform-vows-refunds/"},{"date":"2026-06-26","event":"CNBC reports the CFTC has opened a new investigation into Polymarket's marketing practices, citing a source with knowledge of the inquiry. U.S. senators urge the CFTC to probe the platform's alleged deceptive advertising.","source":"CNBC","source_url":"https://www.cnbc.com/2026/06/26/cftc-is-conducting-an-investigation-into-polymarket-source-says.html"}]},"v":1}