The third-party vendor breach identified on Thursday led to the injection of a malicious script onto Polymarket’s website, targeting several users. According to blockchain analyst Specter, the malicious script enabled a phishing attack, leading to the theft of about $2.94 million (roughly Rs. 27.75 crore) in cryptocurrency from at least 11 Polymarket user wallets. Polymarket stated on X that the compromise was isolated and that the affected dependency was taken out. The firm went on to note that the users will receive a full refund. Polymarket’s total value locked stands at $450 million (roughly Rs. 4,247 crore), up 301 percent from $112 million (roughly Rs. 1,057 crore) a year earlier, according to data from DeFiLlama.Â
Crypto Exploit Losses Continued to Rise Through June
About a month before the current Polymarket hack, the prediction market had reported another breach worth $600,000 (roughly Rs. 5.6 crore), which resulted from an old private key, six years old, that was employed for internal top-ups. According to Josh Stevens, vice president of engineering at Polymarket, none of the funds were affected since the contracts were secure and all permissions revoked.
It appears there may be a phishing attack targeting Polymarket users, with estimated losses of $2.94M so far.
The attacker has drained funds from 11+ victim wallets holding PUSD, swapped the stolen assets for ETH, and consolidated the proceeds into the following address:… pic.twitter.com/6WfS0JhdDG
— Specter (@SpecterAnalyst) June 25, 2026
Losses from cryptocurrency exploits have increased in June, amounting to $74.9 million (roughly Rs. 706 crore) through 29 incidents, which is an increase from the total of $60.5 million (roughly Rs. 571 crore) in May, but still significantly lower than $644 million (roughly Rs. 6,078 crore) in April, says DefiLlama. Based on the same data, over the last 30 days, private key exploits contributed to 43 percent of all exploit-related losses, making this the most common attack type. Proof exploits accounted for 10 percent, while reverse MEV honeypots amounted to 8 percent. Reverse MEV honeypots create misleading trading opportunities for automated trading bots.
Based on the analysis by market insights provider Unfolded, based on data from DeFiLlama, the second quarter of 2026 is the most hacked quarter on record in terms of the number of attacks, with 83 hacks of crypto protocols. KelpDAO’s $293 million (roughly Rs. 2,774 crore) hack and Drift Protocol’s $280 million (roughly Rs. 2,652 crore) exploit were the largest incidents of the quarter.Â
A few incidents in this quarter also involved Taiko, an Ethereum layer-2 blockchain that saw its bridge protocols collapse. Hackers managed to steal $1.7 million (roughly Rs. 16 crore) by compromising Taiko’s chain state verification mechanism. Other notable incidents of the past quarter include Secret Network Bridge suffering a $4.7 million (roughly Rs. 44.5 crore) exploit due to an Infinite Mint Bug, and THORchain halted trading after a suspected $10 million (roughly Rs. 94.7 crore) exploit, although now THORChain has resumed operations ast it has restored its network, including trading, signing, swaps, and liquidity provider actions.Â
Cryptocurrency is an unregulated digital currency, not a legal tender and subject to market risks. The information provided in the article is not intended to be and does not constitute financial advice, trading advice or any other advice or recommendation of any sort offered or endorsed by NDTV. NDTV shall not be responsible for any loss arising from any investment based on any perceived recommendation, forecast or any other information contained in the article.
