Users of **Polymarket**, a prominent cryptocurrency-based prediction market, have fallen victim to a supply-chain attack that resulted in approximately $3 million being stolen. The company has committed to fully reimbursing all affected customers. The attack vector was identified as a malicious script injected into **Polymarket**'s frontend, leveraging a breach at an unnamed third-party vendor. Crucially, **Polymarket**'s internal servers and backend infrastructure remained uncompromised. ### The Mechanics of the Attack The incident saw unsuspecting users tricked into approving fraudulent transactions directly on the official **Polymarket** website. This was facilitated by malicious JavaScript delivered through a compromised frontend dependency. While **Polymarket** has provided limited details, blockchain intelligence firms have shed more light on the financial impact. Blockchain security firm **PeckShield** reported that the phishing campaign siphoned approximately $3 million worth of **ParyonUSD** from users.  *Source: PeckShield* **PeckShield** further detailed the attacker's actions: "The attacker bridged the stolen funds from #Polygon to #Ethereum and swapped them into ~1,893 **$ETH**." ### Impacted Accounts and Recovery Efforts Visual analytics company **SlowMist** estimates that fewer than 15 accounts were impacted by the breach. **SlowMist** has published a list of some affected accounts and the wallets currently holding the stolen funds, aiding in transparency and potential recovery tracking. **Polymarket**, founded in 2020 and currently valued at $9 billion, handles billions in trading volume. Its commitment to full reimbursement underscores the critical importance of trust in the volatile cryptocurrency market. This incident highlights the persistent and evolving threat of supply-chain attacks, even for platforms with robust internal security measures.