The decentralized prediction platform Polymarket has just confirmed that some user accounts were compromised in a recent security incident, stemming from a vulnerability in a third-party authentication provider, rather than from the platform's core infrastructure.
Users report losing money even though they didn't click on suspicious links.
The first reports of hacked accounts began appearing this week on X (Twitter) and Reddit, with many users Chia that entire trading positions were closed and their balances were nearly zero.
A user wrote on Reddit that they received three unusual login alerts to Polymarket, even though their device hadn't been compromised, their Google account showed no suspicious activity, and other services were secure. Upon logging into Polymarket, they discovered all transactions had been closed and their account balance was only $0.01.
Another case reported receiving numerous unauthorized login notifications, after which all the money in their Polymarket account was withdrawn, even though they hadn't clicked on any links and their email had two-factor authentication (2FA) enabled.
Related to Magic Labs
According to community feedback, the issue appears to only affect users who registered for Polymarket through Magic Labs. This service allows users to log in with email and automatically creates a non-custodial Ethereum wallet, often used by crypto newcomers who don't yet have their own wallet.
Polymarket: The issue has been resolved, no longer a risk.
On Tuesday, Polymarket officially acknowledged the issue on the project's Discord channel. According to the announcement, the platform has identified and resolved the problem, and confirmed that there are no remaining risks.
Join BingX today to receive a range of offers and experience top-tier security standards.
Polymarket stated:
- The issue only affected a small number of users.
- The cause is a vulnerability originating from the third-party authentication provider.
- The team will proactively contact the affected accounts.
However, Polymarket did not disclose the number of affected users, the value of stolen assets, or name the third-party vendor in its official announcement.
This is not the first time Polymarket has experienced a security incident.
This is not the first time Polymarket has faced issues related to user security.
- In September 2024, many accounts logged in using Google reported having their USDC wallets completely emptied when attackers used proxy commands to transfer funds to phishing addresses. At the time, Polymarket also suspected the cause was related to third-party authentication services.
- Last month, another phishing campaign exploiting the comments section on Polymarket caused over $500,000 in losses when scammers posted fake links leading users to pages that required logging in with fake email addresses.
Warning for users
This chain of incidents once again highlights that login authentication and user experience (UX) are becoming major weaknesses in Web3 platforms, especially with "login with email" solutions aimed at new users.
