Executive Summary
Polymarket said a compromise at a third-party vendor allowed malicious code to be injected into its website for some users, that it contained the incident, and that it was contacting and fully refunding affected users. TechCrunch independently obtained confirmation from a Polymarket spokesperson that user funds were stolen. PeckShield reported a related phishing campaign and approximately $3 million in losses; the exact technical injection path, vendor, code artifact, exposure window, and victim count remained publicly unclear. [1] [2] [3]
The public evidence supports a high-confidence incident, but does not support filling every missing artifact, actor, victim, or infrastructure field. Unknown values below remain explicit. [1] [2] [3]