Polymarket, a leading cryptocurrency prediction market, has been reported to have had its funds stolen, with multiple users expressing their anger on X and Reddit in the early hours of December 24th, saying that their "account balances had been wiped out".
The platform quickly acknowledged the security vulnerability on its official Discord page, pointing to a "third-party service provider." On-chain tracing tool Lookonchain subsequently identified wallet service provider Magic Labs, making this incident one of the most watched security breaches in the crypto market at the end of 2025.
Officials say the problem has been fixed, but some people are still worried.
Less than an hour after the user reported the issue, Polymarket issued an announcement:
We discovered a vulnerability related to a third-party service provider, which has now been fixed. Only a very small number of users were affected, and we will proactively contact them.
The announcement did not disclose the amount of losses or the number of victims, but it caused even greater panic. Based on Polymarket's monthly transaction volume in 2025, which is estimated to be in the billions of dollars every month, even the "very few" could represent huge losses.
Unlike typical phishing attacks, no suspicious links were circulating at the time of the incident, and many victims even enabled email 2FA. The key to bypassing the defenses lay not on the user's end, but in the third-party authentication in the background.
Magic Labs' login mechanism became a weak point.
To lower the barrier to entry, Polymarket introduced Magic Labs' "One-Click Email Generation of Non-Custodial Wallets." Users no longer need to keep seed phrase; they can manage their Ethereum assets simply by sending verification codes. Attackers, however, can directly exploit a system vulnerability in Magic Labs' authentication layer to gain control of the wallet, rendering 2FA (Two-Factor Authentication) ineffective.
Current on-chain data shows that the hacker address split the assets and used multi-level mixing within a short period, increasing the difficulty of tracing the incident. While the official statement claims the issue has been "fixed," a full post-incident report has not yet been provided to the community.
Meanwhile, security firm SlowMist warned of a malicious Polymarket copy trading bot appearing on GitHub, specifically targeting advanced traders who create their own trading scripts. This program reads local configuration files and secretly transmits private keys. Although not directly related to the Magic Labs vulnerability, it surfaced on the same day.
