Polymarket announced that a third‑party vendor compromise on Thursday allowed attackers to insert malicious code into its website, resulting in the loss of about $2.94 million from at least 11 user wallets. The breach involved a malicious script injected into the platform’s frontend, which blockchain analyst Specter identified as facilitating a phishing attack. Polymarket said on its X account that the vulnerability was contained and the affected dependency removed, and that user funds would be refunded. The company has not responded to requests for comment. The incident marked the 89th reported crypto security breach in the second quarter, extending a record‑breaking quarter for incident count, according to DefiLlama. Other June exploits included a $36 million Humanity Protocol hack, a $4.7 million Secret Network bridge exploit, two Aztec exploits each worth $2.1 million, and a $1.7 million Taiko bridge exploit. Private key compromises accounted for 43 percent of June losses, while fake proof attacks represented 10 percent and reverse MEV honeypots 8 percent, DefiLlama reported. About a month earlier, Polymarket disclosed a $600,000 exploit traced to a six‑year‑old private key used for internal top‑up operations; Polymarket’s vice president of engineering, Josh Stevens, said the platform’s contracts and user funds remained secure and that permissions linked to the key had been revoked. Polymarket currently holds more than $450 million in total value locked, up 301 percent from $112 million a year earlier. The episode highlights ongoing security challenges in the prediction‑market sector as crypto users continue to bet on a wide range of events.