Woofun AI reports that a third-party vendor compromise discovered Thursday injected a malicious script into Polymarket's frontend, draining an estimated $2.94 million from at least 11 user wallets. Blockchain analyst Specter identified the script as a phishing mechanism, though Polymarket confirmed on X that the dependency has been removed and the incident contained. The platform pledged full refunds to all affected users, asserting that core smart contracts and user funds remained secure throughout the event.

This incident marks the 89th reported crypto security breach of the second quarter, extending the record for the most-hacked quarter by incident count. Crypto exploit losses climbed to $74.9 million across 29 reported incidents in June, surpassing May's $60.5 million total but remaining far below April's $644 million. The largest June incidents included the $36 million Humanity Protocol exploit, the $4.7 million Secret Network bridge exploit, two separate Aztec exploits worth $2.1 million each, and a $1.7 million bridge exploit on Taiko.

Woofun AI data shows that over the past 30 days, private key compromises accounted for 43% of reported exploit losses, making them the leading attack vector. Fake proof exploits accounted for 10%, followed by reverse MEV honeypots at 8%, which present deceptive trading opportunities to lure and manipulate automated trading bots. This distribution highlights a shift in attacker methodology toward credential theft and bot manipulation rather than pure protocol logic failures.

About a month before Polymarket's latest attack, the prediction market disclosed a separate $600,000 exploit traced to a six-year-old private key used for internal top-up operations. Josh Stevens, Polymarket's vice president of engineering, stated that all permissions tied to that key had since been revoked. Despite these recurring security challenges, Polymarket currently holds over $450 million in total value locked, up 301% from $112 million a year ago. The resilience of capital inflow suggests user confidence remains intact despite the frequency of external threats.