by Source Defense

(aka a Textbook Digital Skimming Attack)

TL;DR – On June 25, 2026, Polymarket disclosed that a “3rd party vendor had been compromised, injecting a malicious script into our frontend for some users.” It never identified the vendor or the compromised dependency. Source Defense Research tracked down the actual payload.

A third-party script that Polymarket loaded was replaced, at its source, with an 18 KB wallet drainer hardcoded to target Polymarket. The attack ultimately drained approximately $3 million in pUSD from roughly 11 high-value wallets.

More importantly, our investigation found that the same malicious script was being served to unrelated websites at the same time. Only Polymarket users lost funds because the malware specifically targeted Polymarket – but every website loading that compromised third-party resource was unknowingly executing attacker-controlled code.

This is not simply another cryptocurrency story, it’s a textbook client-side supply-chain attack that mirrors the digital skimming (Magecart) campaigns responsible for billions of dollars in payment card fraud over the past decade.

What Polymarket Disclosed

“This morning, we discovered a 3rd party vendor had been compromised, injecting a malicious script into our frontend for some users. We’ve contained it & removed the affected dependency. We’re contacting impacted users & refunding them in full.”

No vendor was identified. No dependency was named.

Blockchain researchers including Specter, PeckShield and Bubblemaps quickly estimated losses approaching $3 million across fewer than 15 wallets (approximately 11 confirmed victims). The stolen pUSD was converted into ETH and bridged from Polygon to Ethereum.

One point immediately stood out. The blockchain itself was never compromised.

The smart contracts performed exactly as designed.

The attack occurred entirely in the browser, the same attack surface that has fueled years of eSkimming and digital skimming attacks against online merchants.

So we went looking for the script.

The Hunt: From Homepage Diff to a Marketing Tag

We began where Polymarket’s disclosure pointed us: the frontend.

Comparing archived versions of the homepage before and after the incident revealed one notable difference.

A third-party marketing tag that existed before the attack disappeared immediately afterward.

That tag dynamically loaded JavaScript from an externally hosted service:

loader = function (key) {
  var script = document.createElement("script");
  script.async = true;
  script.src = "https://<third-party-host>/" + key + "/loader.js";
};

By itself, this loader appeared benign.

We reviewed multiple historical versions and found no malicious wallet functionality.

However, it performed one critically important action.

It dynamically loaded another third-party JavaScript library from a second external host.

let s = document.createElement("script");
s.src = "https://<third-party-host-2>/<library>.js";
document.head.appendChild(s);

That nested trust chain: 

Polymarket → Marketing Vendor → External Identity Library

was the only location where externally hosted JavaScript executed wholesale inside the application.

That made it the obvious place to investigate.

The Smoking Gun

The legitimate identity library weighs approximately 479 KB.

The version served during the attack measured only 18 KB.

It began like this:

_W:[
0x51Cf...
0xC771...
0x7BCE...
],
MIN_USD:100000,
MIN_BID_DEPTH:5

This was not an identity library. It was a purpose-built wallet drainer.

The script referenced:

  • Polymarket’s relayer
  • Polymarket APIs
  • Embedded wallet infrastructure
  • Attacker payout wallets
  • Attacker-controlled infrastructure

Even more importantly…

The same compromised third-party host delivered the malware and received stolen information back through image beacon requests.

Whoever controlled that infrastructure controlled the attack.

The Attack, Step by Step

1. Delivery

Polymarket loaded a trusted third-party marketing tag.

That marketing tag loaded a second third-party JavaScript library.

Instead of receiving the legitimate library, browsers received the malicious wallet drainer.

Nothing appeared suspicious to the browser.

Everything originated from trusted infrastructure.

2. Reconnaissance

The malware queried Polymarket APIs to determine the visitor’s holdings.

3. Targeting

Only wallets worth more than $100,000 were attacked.

This selective targeting dramatically reduced the number of victims while allowing the campaign to remain active longer.

4. Coerced Signature

Victims were repeatedly prompted to sign an EIP-712 authorization.

The malware continued prompting until users eventually approved the transaction.

5. Abuse of Legitimate Infrastructure

The authorization was submitted through Polymarket’s own gasless relayer.

Nothing about the blockchain transaction itself appeared malicious.

6. Exfiltration

Results – including wallet values, addresses, authentication methods and transferred amounts – were beaconed back to the attacker through the same compromised third-party host.

Following the Money

Blockchain analysis shows stolen pUSD converted into ETH before ultimately converging into:

0xe65b1C586757c5510B60F998Eebb14C1eF71E1eD

Two attacker wallets embedded directly inside the recovered malware funded that address.

The recovered source code and blockchain activity independently validate one another.

It Wasn’t Just Polymarket

Perhaps the most significant finding from our research has received very little public discussion. The malicious JavaScript was not served exclusively to Polymarket.

It was simultaneously delivered to unrelated websites.

That means the compromise occurred upstream, in the vendor’s digital supply chain – not inside Polymarket itself.

Source Defense identified the compromised third-party as a widely deployed marketing technology provider with visibility into at least 3,000 well-known brands worldwide.

Fortunately, the attacker intentionally hardcoded Polymarket-specific targeting.

On every other website the malware quietly failed because the APIs it expected simply did not exist. But that should not provide comfort.

Every organization serving that JavaScript had effectively delegated execution of arbitrary attacker-controlled code into every visitor’s browser.

The only thing preventing a much larger incident was the attacker’s decision to target a single victim.

Tomorrow, the exact same compromised supply chain could just as easily target one of those other thousands of organizations.

The Polymarket Attack Also Exposes a Dangerous Industry Misconception

One aspect of this incident deserves considerably more attention than it has received.

Several security write-ups published shortly after disclosure recommended deploying Content Security Policy (CSP) or Subresource Integrity (SRI) to defend against attacks like this.

While understandable, those recommendations fundamentally misunderstand how this attack succeeded.

Our research indicates Polymarket maintained a sophisticated and well-managed Content Security Policy.

It simply made no difference.

Why?

Because CSP is fundamentally a whitelist.

It answers one question:

“Is this script allowed to execute?”

The compromised JavaScript originated from a trusted third-party already authorized by Polymarket.

From the browser’s perspective, nothing unusual occurred.

The browser faithfully executed code from an approved supplier.

The malicious behavior happened only after that trust decision had already been made.

This illustrates the central weakness of whitelist-based security.

If attackers compromise a trusted supplier (or a supplier’s own supply chain) the browser will execute malicious code exactly as instructed because the source has already been declared trustworthy.

That appears to be exactly what happened here.

A Textbook Digital Skimming Attack

From a client-side security perspective, there is remarkably little difference between this attack and traditional digital skimming/eSkimming (Magecart) campaigns.

The attackers:

  • Compromised a trusted third-party supplier instead of the website itself
  • Delivered malicious JavaScript through an approved supply chain
  • Executed inside every visitor’s browser
  • Examined sensitive user data before backend protections could ever see it
  • Selected only high-value victims to reduce detection
  • Quietly exfiltrated stolen information using ordinary browser functionality

The only meaningful difference was the asset being stolen.

Traditional digital skimming campaigns harvest:

  • payment cards
  • credentials
  • personally identifiable information

This campaign harvested cryptocurrency. The underlying attack methodology remained almost identical.

For years, Visa, Mastercard, Verizon, PCI DSS, Europol and numerous incident response organizations have warned that attackers increasingly compromise website supply chains rather than merchant infrastructure itself. This attack demonstrates that exactly the same techniques now threaten cryptocurrency platforms as well.

The CSP and SRI Fallacy

Content Security Policy and Subresource Integrity remain valuable browser technologies.

They simply were never designed to stop trusted JavaScript from behaving maliciously.

CSP controls where scripts may load from.

SRI verifies that a static file matches a cryptographic hash.

Neither answers questions such as:

  • Is this script reading wallet information?
  • Is it scraping payment data?
  • Is it requesting signatures?
  • Is it modifying the DOM?
  • Is it injecting additional code?
  • Is it transmitting sensitive information elsewhere?

Those are runtime behavioral questions.

When malicious activity originates from an already trusted supplier, static trust models become ineffective.

This is precisely why Source Defense and numerous independent QSAs have consistently warned against relying exclusively on CSP or SRI to defend against modern client-side attacks. Behavior-based runtime controls are necessary because attackers increasingly hide inside services websites already trust.

Even PCI DSS Leaves Room for Dangerous Assumptions

To be clear:

PCI DSS correctly identifies client-side attacks as a major fraud concern.

Requirements 6.4.3 and 11.6.1 require organizations to:

  • inventory scripts
  • authorize scripts
  • justify scripts
  • monitor changes
  • detect unauthorized modification

Those are important controls.

However, accompanying guidance references approaches including CSP and SRI as possible implementation mechanisms.

Unfortunately, many organizations have interpreted this guidance to mean that deploying CSP or SRI alone provides meaningful protection against modern digital skimming attacks.

The Polymarket incident demonstrates why that assumption is dangerous.

If attackers operate through an already trusted supplier, CSP has little ability to distinguish malicious behavior from legitimate functionality.

Likewise, SRI provides limited value for dynamic third-party JavaScript that changes frequently or delivers customized content.

The better question is no longer:

“Was this script authorized?”

The better question is:

“What was this authorized script actually allowed to do?”

Modern client-side security solutions like Source Defense answer that question by applying zero-trust principles directly to third-party JavaScript – sandboxing execution, controlling behavior, and preventing unauthorized access to sensitive data regardless of whether the code originates from a trusted partner or a compromised one. That behavioral approach aligns much more closely with the techniques attackers are using today.

Indicators of Compromise

Malicious payload

  • SHA256: ba91ef169fc4a2a57a97ba6b1590c9861ea9113baf1313288428b2abfe0fdec6
  • Approximately 18 KB
  • Impersonated a legitimate 479 KB library

Attacker wallets

  • 0x51Cf782223289C05568F9F7Dede8CB1bC2f9c5Ca
  • 0xC771A30a7c1aCA828eeEF7B822ac864a64cBaAe2
  • 0x7BCECe0d8fd92ECCf39Bc35242c6D9aAc0aA75A6

Consolidation wallet:

0xe65b1C586757c5510B60F998Eebb14C1eF71E1eD

Legitimate infrastructure abused

  • relayer-v2.polymarket.com
  • clob.polymarket.com
  • data-api.polymarket.com
  • embedded wallet infrastructure

The Larger Lesson: Trusted Scripts Have Become the Internet’s Soft Underbelly

Polymarket’s blockchain worked. Its smart contracts worked. Its cryptography worked.

Its audits worked. The compromise occurred somewhere entirely different.

It occurred inside a trusted third-party JavaScript supply chain executing with complete privilege inside users’ browsers.

That is exactly how modern digital skimming attacks have operated for years. The only thing that changed was the target. Instead of stealing payment cards, attackers stole cryptocurrency.

Organizations increasingly depend on dozens of third-party JavaScript suppliers. Website owners routinely extend complete trust to these partners, despite broader industry adoption of zero-trust principles everywhere else in enterprise security.

The Polymarket incident demonstrates why that model is increasingly difficult to defend.

Organizations need more than visibility into which scripts execute.

They need continuous runtime control over what those scripts are allowed to do after they begin executing.

Without that capability, every trusted third-party relationship becomes another opportunity for attackers to hide malicious activity inside software the browser has already been instructed to trust.

Research by Source Defense Research

Disclosure note: At the time of analysis, the malicious script was observed being served from a legitimate third-party provider. Whether the incident resulted from compromise of the vendor itself, its build pipeline, or associated infrastructure remains under investigation. Because the poisoned script was observed on additional websites and responsible disclosure efforts remain ongoing, identifying information relating to the vendor has been intentionally withheld pending notification.

PCI DSS 4.0 makes client-side security a priority.

Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.