Third-Party Breach at Polymarket Led to Nearly $3 Million in User Crypto Theft
Polymarket said attackers stole funds from an undisclosed number of users after compromising a third-party vendor and injecting malicious code into the company's website. The platform said the incident has been contained, affected customers are being notified, and victims will be fully reimbursed. A company spokesperson confirmed the theft but did not disclose how many users were impacted.
Independent blockchain researchers described the activity as a phishing-style campaign that drained more than 11 Polymarket wallets holding PUSD, with estimated losses of about $2.94 million to $3 million. Researchers also reported that the attacker moved the stolen assets from Polygon to Ethereum and converted them into roughly 1,893 ETH, indicating a rapid effort to launder the proceeds after the website compromise.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Phishing campaign drains Polymarket user wallets
Blockchain security researcher Specter identified a phishing campaign targeting Polymarket users that drained more than 11 wallets holding PUSD. Reported losses were estimated at about $2.94 million, and the attacker allegedly bridged the assets from Polygon to Ethereum and converted them into 1,893 ETH.
Polymarket confirms third-party breach and user fund theft
Polymarket said attackers compromised a third-party vendor and used that access to inject malicious code into the Polymarket website for some users, resulting in stolen user funds. The company said it had contained the incident, was notifying affected customers, and would fully reimburse victims.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
AMLBot Puts Polymarket Phishing Toll at $3.1M Across 11 Wallets, Funds Traced to Ethereum - "The Defiant"
thedefiant.io
Open sourcePolymarket Confirms $3 Million Loss From Third-Party Front-End Supply-Chain Breach - "The Defiant"
thedefiant.io
Open source$3 Million Reportedly Stolen in Polymarket Hack - SecurityWeek
securityweek.com
Open sourceThird-Party Breach at Polymarket Leads to $2.94M Crypto Theft
securityaffairs.com
Open sourcePolymarket customers lose $3 million in supply-chain attack
bleepingcomputer.com
Open sourcePolymarket says hackers stole users' funds | TechCrunch
techcrunch.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Trust Wallet Chrome Extension Compromised Leading to Multi-Million Dollar Cryptocurrency Theft
A compromised update to the Trust Wallet Chrome extension, version 2.68.0 released on December 24, resulted in the theft of over $7 million in cryptocurrency from hundreds of users. Attackers injected malicious JavaScript code, disguised as analytics, which activated when users imported their seed phrases, exfiltrating sensitive wallet data to a domain mimicking Trust Wallet's infrastructure. The attack was first flagged by blockchain investigators and security researchers, who noted that only desktop extension users were affected, while the mobile app remained secure. Trust Wallet responded by releasing an urgent warning and a subsequent extension update, while security firms highlighted the likely supply-chain nature of the compromise. In parallel to the direct compromise, threat actors launched phishing campaigns using domains such as fix-trustwallet.com, luring affected users with promises of a vulnerability fix but instead further draining their wallets. The incident underscores the risks of supply-chain attacks on browser extensions and the sophistication of attackers, who combined technical compromise with social engineering to maximize their haul. Security analysts and blockchain investigators continue to monitor the situation, advising users to avoid the Chrome extension until further notice and to remain vigilant against related phishing attempts.
Mar 21, 2026
Massive Exploit of Balancer DeFi Protocol via V2 Pool Vulnerability
Hackers exploited a vulnerability in the Balancer DeFi protocol's V2 pools, resulting in the theft of over $120 million in cryptocurrency, with at least $99 million stolen in ETH. The attack targeted Balancer's Compostable Stable Pools and was traced to either a precision rounding error in the Vault’s swap calculations or faulty access control mechanisms, allowing the attacker to manipulate token swaps and balances. Balancer confirmed that the exploit did not impact its V3 pools and has paused affected pools while working with security researchers to investigate the incident. The company has warned users to be vigilant against phishing attempts and fraudulent messages purporting to be from its security team. Several other blockchain organizations connected to Balancer, such as the Berachain Foundation, Gnosis, Sonic, and Beefy, took emergency measures to protect user assets, including halting networks and freezing stolen funds where possible. Despite Balancer's history of multiple security audits and bug bounty programs, this incident highlights ongoing risks in DeFi protocols. A full post-mortem is expected once the investigation concludes.
Mar 21, 2026
Step Finance Treasury Wallet Theft via Compromised Executive Devices
**Step Finance**, a Solana-based DeFi platform and analytics dashboard, reported a breach in which attackers **compromised devices belonging to company executives** and used that access to drain multiple **treasury wallets**. The incident was detected on **January 31**, with the threat actor described as leveraging a **“well-known attack vector,”** though Step Finance did not publicly disclose the specific technique or attribution. Initial third-party estimates from blockchain analytics firm **CertiK** put the theft at **261,854 SOL (~$28.9M)**, but Step Finance’s internal investigation later assessed total losses at **~$40M**. Step Finance said it has recovered **~$3.7M in Remora assets** and **~$1M in other positions** through partner coordination and **Token22 protections**, temporarily halted some operations to reinforce security, and stated that **Remora Markets is isolated** from the incident with **rTokens remaining 1:1 backed**; users were also advised **not to engage with the `STEP` token** until the investigation concludes.
Mar 21, 2026