Polymarket Hack: Third-Party Vulnerability Drains User Funds

Polymarket has confirmed that a recent wave of wallet drains affecting user accounts was caused by a security vulnerability tied to a third-party authentication provider, following days of complaints from users who said their balances were emptied after unexplained login attempts.

The decentralized prediction market platform said the issue has now been fixed and that there is no ongoing risk, though it has not disclosed how many users were affected or the total value of funds lost.

Login Emails, Empty Accounts: Polymarket Users Describe Sudden Fund Losses

Reports of suspicious activity began circulating earlier this week on X and Reddit, where several users described receiving multiple login notification emails despite not attempting to access their accounts.

In multiple cases, users said they logged in hours later to find their positions closed and balances nearly zero.

One Reddit user wrote that three login attempts were flagged while their email and other online accounts showed no signs of compromise, adding that their Polymarket funds were drained at the same time the login emails were sent.

Another user provided a detailed account suggesting the breach may have involved weaknesses in the platform’s one-time password system at the time of the incident.

According to the user, the login codes were only three digits long and may have been vulnerable to brute-force attempts. The user noted that shortly after the incident, Polymarket appeared to increase the OTP length to six digits, though the company has not publicly commented on that specific claim.

User reports have pointed to a common thread among affected accounts. Several said they had signed up through Magic Labs, a popular onboarding service that allows users to log in with email addresses and automatically creates non-custodial Ethereum wallets.

Magic Labs is widely used by newer crypto users who do not already manage their own wallets.

While Polymarket did not name the authentication provider involved, it acknowledged in a message posted to its official Discord channel that the vulnerability originated from a third-party service.

The platform said it would contact impacted users directly but did not offer details on reimbursements or recovery options.

Third-Party Breaches Keep Haunting Crypto Platforms

The incident is not the first time Polymarket has faced security-related concerns tied to external services.

In September 2024, users who logged in through Google accounts reported wallet drains involving unauthorized proxy transactions that moved USDC funds to phishing addresses.

At the time, Polymarket investigated the events as potentially targeted exploits linked to third-party authentication tools.

More recently, a phishing campaign that abused the platform’s comment sections resulted in losses exceeding $500,000 after users were redirected to fake login pages.

The breach comes amid a broader rise in third-party security failures across the crypto and technology sectors. This week, crypto tax software firm Koinly warned users that email addresses may have been exposed following a breach at Mixpanel, an analytics provider it previously used.

Koinly reported that no financial/tax information had been breached and that it no longer uses the service.

Elsewhere, Swiss crypto platform SwissBorg released a report of a loss of 41 million earlier this year following a compromise by attackers of an API provider, and Discord and a number of DeFi protocols have also reported attacks related to external vendors.

A consistent warning that security researchers have given is that the use of third-party infrastructure can increase attack surfaces, particularly with crypto platforms growing.

The post Polymarket Hack: Third-Party Vulnerability Drains User Funds appeared first on Cryptonews.