threat-wire
Hackers Drain 3 Million From Polymarket via a Third-Party Script
Polymarket lost close to 3 million dollars in crypto after attackers broke into one of its outside vendors and slipped malicious code into the website's front end. The company's own servers were never touched. It is a reminder that every third-party script on your site runs with your customers' trust.
By SecureBusinessHub Editorial, International cybersecurity desk — · 5 min read
On 25 June, some Polymarket users connected their crypto wallets to the prediction market's website like any other day and watched their balances drain. By the time it was contained, roughly 2.94 million dollars in the platform's PUSD stablecoin was gone.
What makes this one worth your attention is where the attack lived. Polymarket's servers and back-end systems were never breached. The attackers got in through a third-party vendor, one of the outside companies whose code the website loads in the visitor's browser. They compromised that vendor and injected malicious JavaScript into Polymarket's front end.
How the money moved
The injected script did not grab funds directly. It waited for a user to connect a wallet, then quietly altered the transactions they were asked to approve. People believed they were confirming a normal action. They were actually signing approvals that handed their PUSD to the attacker. On-chain investigators traced about 2.94 million dollars drained from at least 11 wallets. The thief then bridged the funds from Polygon to Ethereum, swapped them into roughly 1,893 ETH, and funnelled everything into a single address.
The blast radius was narrow. Analysts put the number of affected accounts in the low teens, under 15. Polymarket has said it will reimburse every affected user in full, has removed the poisoned dependency, and is contacting the people who lost money. It has not named the vendor that was breached.
Why this should worry any business with a website
You do not have to run a crypto platform for this to apply. Almost every modern website loads code it did not write: analytics, chat widgets, payment scripts, ad tags, A/B testing tools. Each of those runs in your customer's browser with the same access your own code has. Compromise one supplier and you can skim card numbers, redirect payments, or, as here, rewrite what a user is agreeing to. Security teams call this web skimming or formjacking, and it has hit online retailers for years through the same kind of injected script.
Reduce your exposure
- List every third-party script your site loads. If you cannot say what a tag does and why it is there, remove it.
- Pin third-party scripts to a known version and use Subresource Integrity, an integrity hash the browser checks, so it refuses a script that has been altered.
- Set a Content Security Policy that only allows scripts from domains you approve, which blocks an injected script served from a new attacker host.
- Watch your checkout and wallet-connection pages for unexpected outbound connections, the tell-tale sign that a script is sending data somewhere new.
- Keep the list of vendors with code on your site short. Every one you add is a door you do not fully control.
Polymarket did almost everything right on its own infrastructure and still lost millions. The weak point was a company most of its users had never heard of.