Polymarket hack loss estimate rises to $3.1M as refunds face CFTC scrutiny

The Polymarket hack is worsening. Blockchain intelligence firm AMLBot updated estimated stolen funds to about $3.1 million after attackers drained PUSD from 11 wallets. Polymarket says a compromised third-party vendor injected malicious code into parts of its frontend. The incident targeted users through website-based phishing mechanics, rather than altering the core protocol. The platform removed the dependency, contacted affected users, and promised refunds for PUSD holders. Investigators describe a Polygon-to-Ethereum flow: funds were taken on Polygon, bridged to Ethereum, converted to USDC.e via Relay, swapped to ETH, and consolidated on Ethereum addresses. Earlier estimates were near $2.94 million, so the AMLBot update increases the loss figure. Specter Analyst and PeckShield also warned about frontend prompt manipulation risks—wallet prompts can be altered while the site still appears legitimate. Separately, the refund pledge is unfolding amid broader regulatory pressure, with U.S. lawmakers urging the CFTC to review allegations of misleading advertising tied to prediction markets. For traders, this Polymarket hack raises near-term security and counterparty risk concerns for prediction/DeFi platforms, while regulatory scrutiny can extend volatility beyond the incident timeline.