Polymarket announced it will refund users after a phishing attack that stole about $2.94 million from at least 11 wallets. The company removed a malicious frontend dependency and contained the incident. The attack was traced to a compromised third‑party vendor that injected malicious code into the platform’s frontend, enabling phishing of connected wallets, according to blockchain analyst Specter, who said the incident was a phishing campaign rather than a protocol exploit. Stolen assets were swapped for ETH and consolidated into a single address, and DefiLlama recorded the breach as the 89th security incident in the second quarter, the highest count for the quarter. In June, crypto exploits resulted in $74.9 million in losses across 29 incidents, lower than April’s $644 million but higher than May’s $60.5 million, with the largest June attack being a $36 million Humanity Protocol exploit followed by a $4.7 million Secret Network bridge exploit and two $2.1 million Aztec exploits. About a month earlier Polymarket disclosed a separate incident in which attackers used a six‑year‑old private key to steal roughly $600,000, a case the company said did not compromise user funds or smart contracts after revoking permissions linked to the compromised key. Polymarket said all affected users will receive full refunds, underscoring the risks of relying on third‑party components in decentralized finance platforms.