Polymarket Says Users Will Be Refunded After $2.9M Frontend Theft

Polymarket said it was hit by a compromise that led to $2.9 million being stolen from users after attackers injected a malicious script into the platform’s frontend. The prediction market platform said the issue was contained and that users affected by the theft will be refunded.

The incident matters because it points to a recurring risk for crypto platforms: even when core systems are not described as breached, compromised third-party dependencies can create a path to user losses through the interface people rely on to interact with a service. For users, the episode is a reminder that frontend and vendor security can be as important as smart contract or wallet security.

According to the supplied report, Polymarket removed the affected dependency after identifying the compromise. The company also said it had contained the malicious activity, limiting the immediate impact of the attack.

The theft adds to broader concerns around supply-chain security in crypto, where injected scripts or compromised vendors can expose users during routine platform interactions. In this case, Polymarket’s stated response centers on containment, dependency removal and reimbursement for affected users.

No additional details were provided in the supplied material about the attackers, the exact number of affected users or the timing of the refunds. Polymarket’s commitment to reimburse users is the central user-facing outcome disclosed in the source.