Facepalm: Polymarket users are used to betting on bad outcomes. This time, some of them were on the receiving end after hackers compromised a third-party vendor and used a malicious frontend script to drain funds from wallets.

The prediction market platform said the incident took place on Thursday morning and affected a "small number of users."

Polymarket said it had "contained & removed the affected dependency," adding that it would refund impacted users in full.

The company hasn't said which vendor was compromised, how long the malicious code was active, or exactly how many users were hit. It hasn't confirmed the total amount stolen, either.

PeckShield warned around the same time that a phishing campaign appeared to be targeting Polymarket users. Other investigators put the damage at close to $3 million, with Specter claiming that funds were drained from at least 11 victim wallets holding PUSD, Polymarket's stablecoin used for trading on the platform. The stolen assets were reportedly swapped for Ethereum and consolidated into a single wallet.

Polymarket's head of experience, William LeGate, assured users that they would not be left out of pocket, writing that those affected were being refunded in full. "We've resolved the issue," he said.

// Related Stories

A frontend compromise is not the same as an exploit of Polymarket's core smart contracts, but it can be just as dangerous for users if malicious code is served directly through the site. In this case, the attacker didn't need to break the market itself; they only needed to get between the user and the interface used to interact with it.

Polymarket has been enjoying a surge of mainstream attention but has also faced growing scrutiny. The incident comes shortly after a Wall Street Journal investigation found that social media had been flooded with deceptive videos that appeared to show people winning big money on Polymarket. The company has said it will audit promotional content following the report.

Polymarket's public line is that the immediate threat has been removed and affected customers will get their money back. But the episode is another example of how any crypto platform can be exposed.