AMLBot Puts Polymarket Phishing Toll at $3.1M Across 11 Wallets, Funds Traced to Ethereum
Blockchain intelligence firm AMLBot has fixed the total stolen in Thursday's Polymarket supply-chain attack at approximately $3.1 million in PUSD, providing the first forensically confirmed on-chain dollar figure and tracing the stolen assets from Polygon to Ethereum. On-chain investigator Specter, which published the first public alert, identified more than 11 victim wallets.
AMLBot posted the revised tally on Saturday, two days after on-chain investigators first flagged the drain. The figure revises earlier estimates upward and, for the first time, pins both the dollar amount to a single on-chain intelligence source. AMLBot said it continues to monitor affected accounts as the investigation proceeds.
From Front-End to Bridge
The attack, covered by The Defiant on Thursday, began when a compromised third-party vendor injected malicious JavaScript into Polymarket's website. The code targeted user transactions at the front-end layer; Polymarket's smart contracts on Polygon were untouched. Polymarket confirmed fewer than 15 accounts were affected, consistent with scope described by on-chain security researchers tracking the wallets in real time.
On-chain investigator Specter published the first public alert and identified the attacker's primary consolidation address on Ethereum: `0xe65b1C586757c5510B60F998Eebb14C1eF71E1eD`. PeckShield confirmed the stolen funds were bridged from Polygon to Ethereum and then swapped into roughly 1,893 ETH. Bubblemaps independently counted fewer than 15 affected accounts and estimated $3 million in losses being refunded.
PUSD is Polymarket's native collateral token, a Polygon-based ERC-20 minted 1:1 against USDC.e through the platform's on-chain collateral contracts. Deployed in April 2026 per on-chain records, PUSD operates exclusively within the platform and carries no external exchange listing, so the attacker had to convert it to ETH to exit. The token held its $1.00 peg throughout the incident, per PolygonScan data for the pUSD contract on Polygon.
Refund Commitment, Vendor Still Unnamed
Polymarket posted on X Thursday morning saying it had contained the attack, removed the malicious dependency, and would refund impacted users in full. William LeGate confirmed the repayment would be total, adding in a second post that there were "no user 'losses.'" The platform has not publicly named the compromised vendor across any channel since the incident was disclosed.
Initial independent estimates put the theft at $2.94 million, based on on-chain wallet tallies by Specter Analyst, while PeckShield and other firms rounded to roughly $3 million. AMLBot's Saturday update lifts the confirmed total by approximately $160,000 from Specter's initial read.
TechCrunch reported that a Polymarket spokesperson confirmed the breach but declined to provide further detail. Security researchers at CyberInsider and BleepingComputer both classified the incident as a supply-chain attack, the type where a downstream dependency injects hostile code into a trusted application, rather than a direct protocol exploit.
Platform Context
The platform currently holds $432 million in total value locked on Polygon, per DefiLlama. Security trackers cataloguing Q2 2026 DeFi incidents have counted the June 25 Polymarket attack among a sustained wave of supply-chain and front-end compromises targeting DeFi infrastructure in 2026.
Polymarket has committed to refunding affected users in full but has set no public timeline for completion and has not disclosed the identity of the third-party vendor whose compromise triggered the attack.
Advertisement
Get an edge in Crypto with our free daily newsletter
Know what matters in Crypto and Web3 with The Defiant Daily newsletter, Mon to Fri
90k+ Defiers informed every day. Unsubscribe anytime.
