Polymarket says it will fully refund users after a hacked third-party vendor let attackers inject malicious code into its website and drain about $3 million from customer wallets.

The attack hit pUSD, Polymarket's USDC-backed stablecoin, before funds were swapped to ETH. Bubblemaps says it was largely contained, with fewer than 15 accounts touched.

Polymarket says the frontend issue is now contained and removed — its second breach in a month, after a roughly $700K employee-wallet hack in May.