Polymarket Wallets Emptied: Third-Party Vulnerability Confirmed in Latest Hack
Polymarket, a decentralized prediction market platform, has confirmed that a recent wave of wallet drains affecting user accounts was caused by a security flaw related to a third-party authentication provider. The issue has now been resolved, and there is no ongoing risk, but the company did not disclose how many users were affected or the total value of funds lost.
According to reports, several user accounts suffered monetary losses due to a security flaw in a third-party authentication service. Some users reported on social media that their funds had run out after receiving suspicious login emails, with one Reddit user stating that three login attempts were reported while his email and other online accounts showed no signs of compromise.
Polymarket said the issue has been resolved and there is no longer any risk, but the company did not provide details about refunds or recovery options for affected users. The platform stated that it would contact affected users directly.
Login Emails, Empty Accounts: Polymarket Users Describe Sudden Fund Losses
Reports of suspicious activity began circulating earlier this week, with several users reporting that their positions were closed and their balance was close to zero. One user provided a detailed report suggesting that the breach may have resulted in vulnerabilities in the platform’s one-time password system at the time of the incident.
A lot of people who reported their Polymarket accounts through Magic Link were exhausted. Possibly an ongoing security issue with Magic Link (but user error/phishing can never be ruled out). A few from Discord are posted below, but I’ve seen more reports.
Source: Polymarket Discord
Third-Party Breaches Keep Haunting Crypto Platforms
The incident is not the first time that Polymarket has faced security concerns related to external services. In September 2024, users signed in through Google accounts reported wallet drains related to unauthorized proxy transactions that moved USDC funds to phishing addresses.
Recently, a phishing campaign that abused the platform’s comment sections resulted in losses of over $500,000 after redirecting users to fake login pages. The breach comes amid a broader increase in third-party security failures in the crypto and technology sectors.
Security researchers repeatedly warn that using third-party infrastructure can increase the attack surface, especially given the growing number of crypto platforms. For more information, visit https://cryptonews.com/news/polymarket-hack-third-party-vulnerability-funds-drained/
