Polymarket Discloses Third-Party Supply Chain Breach, $3M Stolen

Attackers planted malicious code on Polymarket via a third-party vendor, stealing roughly $3M from users. Polymarket has pledged to reimburse affected accounts.

Incident Response Threat Intelligence

Prediction market platform Polymarket disclosed that attackers compromised a third-party vendor and used that access to plant malicious code on its website. According to reports circulating online, the injected code allowed the attackers to steal approximately $3 million from user accounts. Polymarket has stated it will reimburse affected users for the full amount.

This is a client-side supply chain attack: rather than breaching Polymarket’s own infrastructure directly, attackers went through a vendor whose code runs in the browser alongside the platform’s own scripts — the same pattern seen in prior incidents involving compromised analytics tags, chat widgets, and payment-adjacent JavaScript libraries. Once malicious code executes in that context, it can intercept form submissions, manipulate transaction data, or redirect funds without triggering server-side alarms, since the traffic often still looks legitimate from the backend’s point of view.

These incidents are difficult to catch with traditional server-side logging alone, because the compromise happens in the user’s browser, not in your infrastructure. Detecting them requires monitoring third-party script behavior — subresource integrity checks, content security policy enforcement, and alerting on unexpected outbound connections from client-side code.

For any organization embedding third-party scripts on pages that handle authentication, payments, or sensitive transactions, this is a reminder to inventory every external script your site loads, restrict what they’re allowed to do via CSP, and treat vendor code changes as a security-relevant event worth monitoring — not just a marketing or product update.

Why it matters: Third-party JavaScript and vendor scripts running on customer-facing pages are a direct path to account and fund theft — review what third-party code executes in your own web properties and whether you'd detect it injecting or exfiltrating data.