Blockchain intelligence firm AMLBot pegged the total amount stolen in Thursday’s Polymarket supply chain attack at approximately $3.1 million in PUSD, providing the first forensically confirmed dollar figure and tracing stolen assets from Polygon to Ethereum. On-chain investigator Specter, which issued the first public alert, identified more than 11 victim wallets.
AMLBot released the revised tally on Saturday, two days after on-chain investigators first reported the leak. The figure revises previous estimates upward and, for the first time, links the dollar amount to a single on-chain intelligence source. AMLBot said it continues to monitor affected accounts as the investigation progresses.
From front end to bridge
The attack, covered by The Defiant on Thursday, began when a compromised third-party vendor injected malicious JavaScript into Polymarket’s website. The code targeted user transactions at the front-end layer; Polymarket smart contracts on Polygon remained intact. Polymarket confirmed that fewer than 15 accounts were affected, matching the scope described by on-chain security researchers who track wallets in real time.
On-chain investigator Specter issued the first public alert and identified the attacker’s primary consolidation address on Ethereum: “0xe65b1C586757c5510B60F998Eebb14C1eF71E1eD.” PeckShield confirmed that the stolen funds were transferred from Polygon to Ethereum and then exchanged for approximately 1,893 $ETH. Bubblemaps independently counted fewer than 15 affected accounts and estimated the reimbursed losses at $3 million.
PUSD is Polymarket’s native collateral token, a Polygon-based ERC-20 issued 1:1 against USDC.e via the platform’s on-chain collateral contracts. Deployed in April 2026 by on-chain registrations, PUSD works exclusively within the platform and does not feature any external exchange quotes, so the attacker had to convert it to $ETH to go out. The token maintained its exchange rate of $1.00 throughout the incident, according to PolygonScan data for the pUSD contract on Polygon.
Reimbursement commitment, supplier still unknown
Polymarket posted to X on Thursday morning, saying it had contained the attack, removed the malicious dependency, and would fully refund affected users. William LeGate confirmed that the refund would be full, adding in a second message that there was “no user ‘loss’.” The platform has not publicly named the compromised vendor on any channel since the incident was disclosed.
Initial independent estimates put the theft at $2.94 million, based on on-chain wallet counts by Specter Analyst, while PeckShield and other companies rounded up to around $3 million. AMLBot’s Saturday update increases the confirmed total by approximately $160,000 from Specter’s initial reading.
TechCrunch reported that a Polymarket spokesperson confirmed the breach but declined to provide further details. Security researchers at CyberInsider and BleepingComputer both classified the incident as a supply chain attack, the type in which a downstream dependency injects hostile code into a trusted application, rather than a direct protocol exploit.
Platform context
The platform currently has $432 million in total value locked on Polygon, according to DefiLlama. Security trackers tracking Q2 2026 DeFi incidents ranked the June 25 Polymarket attack among a sustained wave of supply chain and front-end compromises targeting DeFi infrastructure in 2026.
Polymarket pledged to fully refund affected users, but set no public deadline for its completion and did not disclose the identity of the third-party vendor whose compromise triggered the attack.