Popular on-chain analyst Specter just reported a major Polymarket breach today that stole up to $2.94 million from about 11 accounts combined. According to Specter , the stolen funds were originally held as PUSD (Polymarket’s USD-pegged collateral token), swapped into ETH and sent to a final address. While 11 victims have been identified so far, the final count may still increase as investigators continue to trace more transactions. Why always Polymarket? Polymarket has faced phishing and social engineering attacks since last year. Each one exploited different entry points but followed the same playbook: tricking users into handing over credentials, then clearing their wallets before they notice. Earlier this month, Polymarket’s VP of Engineering, Josh Stevens, addressed a case where a user was swindled out of more than $2 million. The victim had entered a one-time password into a fake website that looked exactly like Polymarket, which allowed the attacker to compromise the victim’s Magic Link wallet (an email-based login system), and drain their funds instantly. Stevens stressed that while the impact was massive, the breach took place on a scam site and did not stem from a flaw in Polymarket’s own platform. That attack came after a $520,000 drain from the platform’s UMA CTF Adapter contract on Polygon in May. According to on-chain investigator ZachXBT , the attack was caused by a compromised deployer key. Airdrop speculation may be fueling the threat The phishing risk facing Polymarket users is compounded by growing speculation around a potential POLY token airdrop. On June 25, X user Tiptop noted that Polymarket had quietly updated its FAQ page, removing language that previously stated the platform “does not have a token” and scrubbing references to having no plans for an airdrop or token generation. Polymarket CMO Matthew Modabber confirmed token and airdrop plans in an October 2025 interview, saying the team wanted to create “a token with true utility, longevity, and to be around forever,” as Cryptopolitan reported. That confirmation prompted users to adjust their trading behavior in hopes of qualifying for a future distribution. The hype around potential airdrops makes it easy for scammers to trick people with fake eligibility checkers and claim pages. Another round of airdrop speculation has started spreading on social media, as Web3 profiles have reported that Polymarket recently removed the explicit denial of an airdrop from its FAQ page. Polymarket faces other reputational headaches The risks on the platform have gone beyond phishing. Last December, SlowMist found a Polymarket copy-trading bot on GitHub embedded with malicious code meant to steal and transmit private keys to hackers. Another investigation conducted by StepSecurity in March also uncovered a compromised GitHub organization that was distributing fake trading bots designed to compromise user accounts. The platform also faces reputational headwinds. According to a Wall Street Journal investigation, Polymarket paid influencers around $2,000 to $3,000 per month to post scripted videos showing fake trading profits. Apparently, the influencers were told to hide that they were being paid, and even ordered to redo clips if they weren’t exciting enough. They were also instructed to make the fake winnings appear as if they were real, organic experiences. Combined with the phishing campaigns and malicious bot ecosystem, the pattern now creates doubts about user safety on a platform where prediction market open interest recently hit a record $1.48 billion, according to a16z Crypto data cited by Cryptopolitan . Don’t just read crypto news. Understand it. Subscribe to our newsletter. It's free .
