Key Facts

• Hackers stole about $3.1 million in Polymarket's PUSD token from 11 user wallets, moving the funds from Polygon to Ethereum, according to blockchain intelligence firm AMLBot.
• Polymarket said a compromised third-party vendor injected a malicious script into its frontend, and the platform has removed the dependency and pledged full refunds to affected PUSD holders.
• Blockchain security firm PeckShield reported that hackers had deployed a phishing campaign targeting Polymarket users, and the attacker or attackers had bridged the stolen funds initially estimated at roughly 1,893 ETH.
• The phishing attack comes after a series of recent security incidents at Polymarket, including a suspected security breach in March where over $520,000 was reportedly drained from two smart contracts on the Polygon blockchain.
• Polymarket is under federal investigation following a Wall Street Journal article into the prediction markets platform's allegedly deceptive social media promotion of users boasting winnings.