Polymarket has confirmed that an external vendor compromise allowed hackers to steal cryptocurrency from users, with full refunds under way.
The company disclosed the incident via a post on X on 26 June 2026, stating it had contained the attack and was in the process of contacting those affected, with commitments to issue full refunds. Polymarket spokesperson Connor Brandi confirmed to TechCrunch that the breach had led directly to the theft of user funds, but declined to provide further information or respond to specific questions about the nature and scope of the attack. The number of accounts affected and the identity of the compromised vendor were not disclosed.
Scale of the incident
Blockchain monitoring firm PeckShield reported, in a concurrent post on X, that the attack appeared to constitute a phishing campaign targeting Polymarket users. PeckShield estimated the value of stolen cryptocurrency at approximately USD three million. A separate blockchain analyst corroborated similar losses and reported that more than 11 users had been affected.
In the days prior to the formal disclosure, two individuals had separately reported on social media that funds had been taken from their Polymarket accounts, suggesting the attack had been under way before the platform issued any formal response or notification.
Polymarket enables users to deposit and receive payments in cryptocurrency, making digital assets the primary medium through which funds move on the platform. The service operates as a prediction market, where participants stake cryptocurrency on the outcomes of political, economic, and other events.
A turbulent week for the platform
The security incident represents the latest setback for Polymarket during a week already marked by controversy. An investigation published on 22 June 2026 found that the company had paid content creators to post promotional videos depicting fabricated betting wins. Polymarket stated it would conduct an audit of its promotional content in response.
Vendor compromises enabling malicious code injection represent a recognised attack vector across the crypto and fintech sectors. Such methods can circumvent a platform's own security controls, exposing users to fund theft without any direct breach of core infrastructure.
As of 26 June 2026, the full extent of refund obligations and the total number of users impacted remained undisclosed. Polymarket had not confirmed whether the incident had been reported to any regulatory authority.
