Polymarket Confirms Major Security Breach Tied to Third-Party Authentication Provider

The decentralized prediction market Polymarket has officially confirmed a significant security incident leading to user asset theft, attributing the breach to a critical vulnerability within a third-party identity verification service provider. The confirmation comes after a wave of distressed reports from users whose accounts were mysteriously emptied.

Accounts Emptied Despite Two-Factor Authentication and No Phishing Links

The alarm bells began ringing earlier this week as numerous users took to platforms like Reddit and X (formerly Twitter) to detail the sudden and inexplicable disappearance of their digital assets. Disturbingly, many victims reported having robust security measures in place.

“This morning, I woke up to three login attempt notifications for Polymarket on my phone,” one user shared on a Reddit discussion thread. “My device wasn’t compromised, and my Google account was fine. Yet, when I quickly logged into Polymarket, all my trades were closed, and my account balance was a mere $0.01.”

Another user recounted a similar experience, receiving three login alerts before their funds were completely drained. What makes these incidents particularly unsettling is the victims’ insistence that they had not clicked any suspicious phishing links and had even enabled two-factor authentication (2FA) for their email accounts, yet these safeguards proved insufficient against the attackers.

Magic Labs Implicated as the Common Vector

Preliminary analysis of victim reports across social media suggests a concentrated attack vector: users who registered their Polymarket accounts through Magic Labs. Magic Labs is a third-party login and wallet service specifically designed to simplify entry into the cryptocurrency space for newcomers. It allows users to register an account quickly using just an email address, eliminating the need for complex private key management by automatically generating a non-custodial Ethereum wallet in the backend.

While Magic Labs effectively lowers the barrier to entry for the broader crypto ecosystem, this incident starkly illustrates a critical trade-off. The very convenience offered by third-party authentication services can, in the event of a security flaw, transform into a direct conduit for malicious actors to exploit.

Polymarket’s Official Response and Pending Details

After several days of anxious silence from the platform, Polymarket finally addressed the situation on Tuesday via its official Discord channel, stating:

“We recently identified and resolved a security issue affecting a small number of users. This incident was caused by a vulnerability in a third-party identity verification service provider.”

However, Polymarket’s statement remained light on specifics. The platform did not disclose the exact number of users affected, the total value of stolen assets, nor did it name the implicated third-party service provider. Polymarket merely emphasized that the vulnerability has been patched and no ongoing risks have been observed.

Polymarket further added that it would proactively contact all affected users. Crucially, details regarding potential full compensation for user losses are still awaiting further clarification, leaving many victims in limbo.