Polymarket is dealing with mounting problems on several fronts after a phishing campaign stole millions of dollars from users just as the prediction market platform faces growing pressure from lawmakers, regulators and fresh criticism over its marketing strategy and public image.

On Thursday (June 25), the company disclosed that a third-party vendor supporting its frontend had been compromised, allowing attackers to inject malicious code that targeted some users. Polymarket said it quickly removed the affected dependency, contained the incident and began contacting impacted customers. The company also pledged to fully reimburse everyone who lost funds.

This morning we discovered a 3rd party vendor had been compromised, injecting a malicious script into our frontend for some users. We've contained it & removed the affected dependency. We're contacting impacted users & refunding them in full.

— Polymarket Traders (@PolymarketTrade) June 25, 2026

“We discovered a 3rd party vendor had been compromised, injecting a malicious script into our frontend for some users,” the company said in a statement shared on X. Polymarket added that the malicious dependency had been removed and affected users would receive full refunds.

#PeckShieldAlert Specter has reported that a #phishing campaign appears to be targeting #Polymarket users, with ~$3M worth of $PUSD drained.

The attacker bridged the stolen funds from #Polygon to #Ethereum and swapped them into ~1,893 $ETH. pic.twitter.com/Li4nZY1me4

— PeckShieldAlert (@PeckShieldAlert) June 25, 2026

Security researchers later determined the attack was a phishing operation rather than a breach of Polymarket’s underlying smart contracts. Blockchain security researcher Specter estimated the attackers stole more than $2.9 million from at least 11 wallets. PeckShieldAlert separately estimated roughly $3 million in PUSD was drained before the stolen assets were bridged from Polygon to Ethereum and swapped for approximately 1,893 ETH. Researchers also published wallet addresses tied to the theft while warning users to stay alert for similar attacks.

It appears there may be a phishing attack targeting Polymarket users, with estimated losses of $2.94M so far.

The attacker has drained funds from 11+ victim wallets holding PUSD, swapped the stolen assets for ETH, and consolidated the proceeds into the following address:… pic.twitter.com/6WfS0JhdDG

— Specter (@SpecterAnalyst) June 25, 2026

The cybersecurity incident arrived at a difficult moment for the company, with renewed attention falling on its business practices, moderation decisions and regulatory compliance.

Polymarket marketing campaign and phishing attack news reaches Washington

The same day Polymarket disclosed the phishing attack, Senators John Curtis and Adam Schiff sent a letter to Commodity Futures Trading Commission Chairman Michael Selig urging the agency to investigate allegations surrounding the company’s marketing practices.

Their request follows allegations contained in a lawsuit filed by the National Association of Consumer Advocates in Washington, D.C., which accuses Polymarket of using undisclosed paid influencers, simulated trading websites, deceptive promotional videos and marketing campaigns that allegedly targeted American consumers despite previous regulatory restrictions.

Companies operating under the guise of federally regulated financial markets need to play by the rules. Reports that Polymarket used deceptive marketing tactics to promote gambling-style products raise serious questions about how these market operators should be regulated. https://t.co/bswwXpTp4r

— Senator John Curtis (@SenJohnCurtis) June 26, 2026

The complaint also alleges the company maintained an intertwined corporate structure spanning multiple entities while continuing to promote both its offshore platform and U.S. business. The claims, which were originally reported by the Wall Street Journal, remain allegations in ongoing litigation.

In their letter, the senators said recent reporting and allegations, if proven, “are deeply troubling and demand immediate scrutiny” from the CFTC.

The lawmakers also questioned whether prediction markets deserve different regulatory treatment than gambling platforms. They argued that marketing campaigns portraying prediction markets as “free money” undermine industry claims that these products primarily serve hedging and price-discovery purposes rather than gambling.

Their letter revisits Polymarket’s 2022 CFTC enforcement action, which resulted in a $1.4 million civil penalty and required the company to stop operating an unregistered event-based binary options platform in the United States. The senators also questioned whether subsequent marketing efforts continued reaching American users.

Among the questions posed to the CFTC are whether the agency is investigating the reported conduct, what advertising standards currently govern prediction markets and whether regulators have enough authority and resources to oversee products critics say increasingly resemble online gambling. The senators requested written responses by July 10.

CNBC also reported that the CFTC has opened an investigation into Polymarket, citing a source familiar with the matter, although the agency has not publicly confirmed the existence of any investigation.

Marketing missteps add to Polymarket’s growing controversies

The latest regulatory attention comes after several high-profile controversies involving Polymarket’s public-facing communications and market listings.

Earlier this year, the company faced backlash after a market titled “Artemis II explodes?” spread widely across social media. The contract briefly implied an 8% probability that the event would occur, prompting criticism from users who argued that wagering on what appeared to be a fatal space disaster crossed ethical boundaries.

Polymarket responded by explaining that the market was intended to measure the possibility of a booster-stage rupture after separation rather than any threat to the Orion crew capsule or astronauts. The company renamed the contract “Artemis II booster rupture?” before ultimately withdrawing it altogether and refunding outstanding shares after acknowledging widespread confusion about the market’s wording.

The incident reignited debates about prediction markets centered on disasters, deaths and other sensitive events. It also drew renewed attention to the company’s broader social media strategy.

We previously reported that Polymarket has increasingly pursued viral engagement on X, noting that some widely shared posts from company accounts later proved inaccurate. One example involved a sports-focused Polymarket account claiming a “no bag policy” had been introduced at a WNBA game to stop spectators from throwing sex toys onto the court. The post generated tens of millions of views before the league denied the claim.

The company’s online communications also attracted criticism in late 2025 after a now-deleted company social media post allegedly contained racist language directed at users from India, Nigeria and Turkey.

Company Chief Legal Officer Neal Kumar later apologized publicly, writing: “The post earlier this week from an unofficial Company account was unacceptable, and we take full responsibility.”

He added: “As an Indian American, looking up the history of the term sucked. I’ve always found engagement to be far more effective than rage, and believe this came from a place of misunderstanding, not hate.”

“The post earlier this week from an unofficial Company account was unacceptable, and we take full responsibility,” Kumar wrote. “As an Indian American, looking up the history of the term sucked. I’ve always found engagement to be far more effective than rage, and believe this came from a place of misunderstanding, not hate.

“Uncomfortable conversations to understand each other is a practice to live and breathe, and we had one here this week to make us stronger. We apologize for the pain and we are committed to doing better.”

Social media critics argued the apology should have come from Polymarket’s official account rather than a company executive.

ReadWrite has reached out to Polymarket for comment.

Featured image: Polymarket / Canva

The post Polymarket battles cyberattack while regulatory pressure intensifies across American prediction markets appeared first on ReadWrite.

This post was originally published on this site