User assets have been emptied; Polymarket confirms third-party verification identified a breach, making it a target for hacker attack

Polymarket confirms that a third-party verification service vulnerability led to users’ assets being emptied even when 2FA was enabled. The platform has patched the issue and promised to contact affected users.

In response to recent cases of users’ assets being stolen by hackers, decentralized prediction market platform Polymarket confirmed on Tuesday that the intrusion was caused by a security flaw in a third-party authentication service provider.

Not clicking phishing links, enabling two-factor authentication, yet accounts still emptied

This security incident has been brewing since the beginning of this week, with many users posting help requests on Reddit and X, describing the tragic story of their accounts’ assets disappearing. One user pointed out in a Reddit discussion:

This morning I woke up and saw notifications on my phone about 3 login attempts to Polymarket. My device wasn’t hacked, and there were no anomalies with my Google account, but when I quickly logged into Polymarket to check, I found all my trades had been closed out, leaving my account balance at only $0.01.

Another user on the message board also experienced the same attack pattern: after receiving 3 login alerts, their funds were immediately looted. Alarmingly, this user emphasized that they never clicked any phishing links, and even enabled “two-factor authentication (2FA)” on their email, yet still couldn’t stop the hackers.

According to victim reports compiled on social media, this attack seems to target users who registered on Polymarket via Magic Labs.

Magic Labs is a third-party login and wallet service designed specifically for crypto “beginners.” Users do not need to manage complex private keys; they can quickly register with an email, and the system automatically generates a “non-custodial Ethereum wallet” in the background.

While Magic Labs lowers the barrier to entry into the crypto space, this attack shows that a third-party verification service promising convenience can become a shortcut for hackers if a security vulnerability occurs.

After remaining silent for several days, Polymarket finally responded on Tuesday via its official Discord channel:

We recently discovered and resolved a security issue affecting a small number of users. This incident was caused by a vulnerability in a third-party identity verification service provider.

However, Polymarket did not specify the number of affected users, disclose the total stolen funds, or name the involved third-party service provider. The platform only emphasized that the relevant vulnerability has been patched and that no ongoing risks have been observed.

Polymarket added that it will proactively contact all affected users, but whether full compensation for losses will be provided remains to be seen.

• This article is reprinted with permission from: 《Block Guest》
• Original title: 《Woke up to find account balance at $0.01! Polymarket confirms some users were hacked due to third-party vulnerability》
• Original author: Block Sister MEL