Polymarket confirmed hackers stole funds from some users after attackers injected malicious code through a compromised third-party vendor.Polymarket confirmed that a security breach at a third-party vendor allowed attackers to inject malicious code into its website, leading to the theft of funds from an undisclosed number of users. The company said it has contained the incident and is contacting affected customers. The firm announced it will fully reimburse user losses, however the technical details of the attack have not yet been disclosed.This morning we discovered a 3rd party vendor had been compromised, injecting a malicious script into our frontend for some users. We've contained it & removed the affected dependency. We're contacting impacted users & refunding them in full.— Polymarket Traders (@PolymarketTrade) June 25, 2026The attack first came to light when blockchain security researcher Specter spotted a phishing campaign that drained more than 11 Polymarket wallets holding PUSD. It appears there may be a phishing attack targeting Polymarket users, with estimated losses of $2.94M so far.The attacker has drained funds from 11+ victim wallets holding PUSD, swapped the stolen assets for ETH, and consolidated the proceeds into the following address:… pic.twitter.com/6WfS0JhdDG— Specter (@SpecterAnalyst) June 25, 2026The experts estimanted losses of $2.94 million and reported the attacker moved the stolen funds from Polygon to Ethereum and converted them into 1,893 ETH. #PeckShieldAlert Specter has reported that a #phishing campaign appears to be targeting #Polymarket users, with ~$3M worth of $PUSD drained.The attacker bridged the stolen funds from #Polygon to #Ethereum and swapped them into ~1,893 $ETH. pic.twitter.com/Li4nZY1me4— PeckShieldAlert (@PeckShieldAlert) June 25, 2026GoPlus Security Alert: #Polymarket suffered a supply chain attack, with multiple users losing approximately $3 million @Polymarket Due to a compromise of a third-party vendor, malicious code was injected into the frontend. Around 15 user accounts collectively lost… https://t.co/La1aKILSwX pic.twitter.com/j0Ol2wY0VK— GoPlus Security (@GoPlusSecurity) June 26, 2026Earlier this week, Polymarket said it would review its promotional content after an investigation found it had paid creators to post fake videos showing fabricated betting wins.Follow me on Twitter: @securityaffairs and Facebook and MastodonPierluigi Paganini(SecurityAffairs – hacking, Polymarket)