Emerging ThreatsSupply Chain Attacks

Hackers Inject Malicious Script in Polymarket Supply-Chain Attack

Analyst 207||Source: BleepingComputer
Brightly-lit office with rows of computer servers and a large screen displaying a blurred image.

"The attacker bridged the stolen funds from #Polygon to #Ethereum and swapped them into ~1,893 $ETH," PeckShield says.

What Polymarket reports: full reimbursement after a supply‑chain injection

Polymarket announced it will fully reimburse customers who lost an estimated $3 million after malicious JavaScript was injected into the platform's frontend following a breach at a third‑party vendor. The company said the hack was the result of a supply‑chain attack that impacted a dependency on its website, and that Polymarket’s own servers and backend infrastructure were not impacted by the incident.

Polymarket handles billions of dollars in trading volume and bills itself as one of the world's largest cryptocurrency‑based prediction markets, offering contracts that reflect collective market estimates of events ranging from sports and awards to economic indicators and military conflicts. The company was founded in 2020 and is currently valued at $9 billion, according to the reporting.

How the injected script worked: frontend dependency and phishing approvals

Independent analysts described the incident as a frontend supply‑chain compromise in which malicious JavaScript, introduced via a frontend vendor dependency, caused unsuspecting users to approve fraudulent transactions on the official Polymarket website. The reporting characterizes the incident as a phishing campaign that tricked users into taking actions that transferred funds out of their accounts.

Polymarket stated its backend systems were not breached; the attack exploited a third‑party component that ran in users' browsers. The company did not publish extensive technical details in its brief announcement.

Scale of losses and the blockchain trail

Independent blockchain intelligence firms estimated roughly $3 million in losses. PeckShield specifically reported that the campaign stole approximately $3 million worth of ParyonUSD from users and that the attacker bridged the stolen funds from Polygon to Ethereum before swapping them into about 1,893 Ether.

Visual analytics company Bubblemaps estimated the incident impacted fewer than 15 accounts and published lists of some affected accounts as well as the wallets that held the stolen funds, providing on‑chain tracing of the flow from victim accounts to the attacker‑controlled wallets.

Affected accounts and wallet movements, as traced publicly

According to the reporting, Bubblemaps made public a list of some impacted accounts and the destination wallets holding the stolen funds. PeckShield’s analysis documented the bridge from Polygon to Ethereum and the subsequent swap into roughly 1,893 ETH, creating a clear on‑chain breadcrumb trail that independent observers have used to follow the funds.

BleepingComputer contacted Polymarket for more details about the incident but had not received a response by publication time.

How security teams, users, and policymakers are likely to respond

  • Security teams and technologists: The incident highlights the exposure created by frontend dependencies and third‑party vendor code that executes in users’ browsers. The source material includes a Picus whitepaper observation that "Security teams log 54% of successful attacks and alert on just 14%," a statistic that underlines the gap between activity and detection and may drive more frequent breach and attack simulation testing of SIEM and EDR rules.
  • End users of prediction markets: Users who were tricked into approving fraudulent transactions stand to be fully reimbursed, according to Polymarket’s announcement, but the event underscores how wallet approvals performed in a browser can be manipulated when third‑party frontend code is compromised.
  • Policymakers and market overseers: The theft of roughly $3 million from a small number of accounts in a high‑profile, high‑volume platform raises questions about supply‑chain risk management for platforms that handle large volumes and the transparency of incident reporting from market operators; Polymarket’s brief public statement leaves many technical details undeclared.

Polymarket’s pledge to reimburse affected users arrives alongside an on‑chain record that shows stolen ParyonUSD bridged and converted to ETH. The facts on the blockchain are visible; the broader operational and vendor‑level answers — and any remediation Polymarket will publish about the compromised dependency — remain to be disclosed. For now, the case is a compact example of how a single third‑party frontend dependency can yield multi‑million‑dollar losses and immediate cross‑chain movement of funds.

Source: BleepingComputer — Polymarket customers lose $3 million in supply-chain attack

CryptocurrencyEmerging ThreatsFinancial ServicesSupply Chain AttackThird-Party BreachPolymarketJavascript InjectionPeckshieldEthereumPolygon
Related Intelligence

Continue Reading

Government building exterior with laptops and diverse people, hinting at global connectivity.

SharkLoader Malware Targets Global Entities in StrikeShark Cyberattacks

Kaspersky has uncovered a massive global cyberattack campaign, dubbed StrikeShark, that uses SharkLoader malware to target a wide range of organizations across multiple countries and industries. The attacks have hit diplomatic and government bodies, software development companies, and other entities in over a dozen countries.

Analyst 207
Passport lies on a plain surface surrounded by blurred cannabis dispensary items, hinting at a security breach.

Massive Passport Leak Exposes Sensitive Traveler Data

A staggering leak of almost a million passport records from around the world has put sensitive traveler data at risk. The breach, linked to a low-security ID verification system for cannabis dispensaries, exposed passports as a vulnerable weak point in authentication processes.

Analyst 207
Employee looks concerned at laptop screen displaying OpenAI invitation email.

Threat Actors Exploit OpenAI Invitations to Target Cybersecurity Firms

Threat actors are cleverly exploiting OpenAI invitations to scam cybersecurity firms, creating fake tenants that mimic legitimate companies and sending convincing emails that pass authentication checks. These targeted phishing attacks allow scammers to spread malicious content through a trusted channel.

Analyst 207
Government ministry building lobby with laptop screen in foreground.

Chinese APT Deploys TinyRCT Backdoor in Southeast Asia Cyberattacks

A Chinese advanced persistent threat actor, CL-STA-1062, has launched a series of cyberattacks in Southeast Asia, targeting government entities and state-owned energy firms with a new .NET backdoor called TinyRCT. This sophisticated attack tool is part of a hybrid toolkit used by the group, which has been active since March 2022.

Analyst 207