Some Polymarket users have seen their funds stolen after a third-party vendor compromise, the platform said Thursday.

According to Polymarket’s X post, an unnamed third-party vendor was hacked, allowing attackers to inject malicious code into the prediction market’s front-end.

This story is an excerpt from the Unchained Daily newsletter.

Polymarket said it has identified and removed the malicious code, patched the vulnerability, and will fully reimburse all affected users.

While Polymarket did not provide further details, blockchain intelligence platform Bubblemaps estimates that hackers drained approximately $3 million from fewer than 15 Polymarket users. Bubblemaps shared data showing that hackers converted the loot to ETH, which for some time was parked in several Ethereum wallets. Those wallets have now started to move, however.

Polymarket users who interacted with the compromised front-end had their pUSD balances drained, according to blockchain security platform PeckShield. pUSD is Polymarket’s own dollar-pegged stablecoin backed by USDC, which the platform introduced as part of its April 2026 exchange overhaul.

The exploit is the second to hit Polymarket in roughly two months. In May, a private key compromise drained $700,000 from an internal top-up wallet the company used to distribute user rewards. The string of attacks raise questions about the security of the perimeter surrounding Polymarket’s core protocol.

Related Listen: Is Polymarket’s Oracle Problem Getting Out of Hand? – Uneasy Money