Overview
- Polymarket disclosed Thursday that a compromised third‑party vendor injected malicious JavaScript into its frontend, which security firms say enabled a phishing attack that drained roughly $3 million in the platform’s PUSD from about 11 to 15 user wallets before the funds were bridged to Ethereum and swapped into roughly 1,893 ETH.
- The company says it contained the frontend supply‑chain issue, removed the affected dependency, is contacting impacted users and will refund losses in full, while independent on‑chain monitors continue to track the stolen proceeds.
- A Wall Street Journal investigation published earlier this week found Polymarket paid mostly college‑age creators to film staged trades and fake wins on replica sites without clear disclosure, using coordinated reposting to reach U.S. audiences that the platform had been barred from serving with its primary product.
- The revelations have prompted bipartisan senators to ask the Commodity Futures Trading Commission to probe the promotional practices, multiple outlets report an ongoing CFTC inquiry, and the National Association of Consumer Advocates filed a civil suit alleging deceptive marketing directed at students.
- The incidents heighten legal and regulatory risk for Polymarket as it expands in the U.S., raise questions about third‑party controls and influencer disclosures, and leave observers watching for the company’s audit results, the pace of reimbursements, and possible enforcement by the CFTC, FTC, state regulators or prosecutors.