Comprehensive Threat Intelligence Report: Polymarket Frontend Supply Chain Attack

Date: June 29, 2026

0. Forensic Methodology

To investigate this high-profile frontend exploit, the ChainBounty Threat Intelligence team deployed the SentinelTX Blockchain Forensic Intelligence System. Our forensic specialists executed a rigorous, multi-hop trace tracking assets across heterogeneous networks (Polygon to Ethereum Mainnet) to assemble an immutable chain of custody:

1. OSINT Aggregation: Compiled open-source intelligence logs from public threat feeds (including Specter and PeckShieldAlert) to establish the primary point of compromise and target addresses.
2. Multi-Chain Asset Auditing: Executed real-time state and balance checks across both the Polygon and Ethereum layers to monitor historical and dormant movements.
3. Outbound Multi-Hop Profiling: Initiated automated tracing workflows from the attacker-controlled wallets to flag laundering infrastructure, mixers, tumblers, and centralized exchange (CEX) deposit corridors.
4. Cross-Chain Bridge Mapping: Tracked telemetry data traversing third-party bridge protocols (specifically identifying Relay.link) to match outbound Polygon transaction events with inbound Ethereum mainnet arrivals.
5. Threat Identity Attribution: Evaluated wallet clusters using the Sentinel Threat Intelligence Database (TRDB) to isolate verified institutional counterparties from unlabelled private accounts (EOAs).
6. Evidentiary Anchoring: Bound all trace configurations to per-transaction hashes and block height records to meet legal and judicial evidence standards.

1. Executive Summary

On June 25, 2026, Polymarket's web deployment interface was targeted via a third-party vendor supply chain compromise. The adversary successfully injected a malicious JavaScript payload into the platform's frontend, altering contract call triggers to siphon user wallet balances. The total loss from this incident is estimated at approximately USD 2,940,000 in Polymarket USD (PUSD).

On-chain analysis reveals that after siphoning the PUSD on the Polygon network, the attacker rapidly converted the assets into USDC.e and bridged them over to the Ethereum Mainnet. The incoming flows were then consolidated into a single Ethereum master aggregation address: 0xe65b1c586757c5510B60F998Eebb14C1Ef71EleD.

A total of 1,893 ETH was collected at this nexus point and subsequently parsed out into four distinct structural pathways:

• Primary Dormant Hoard (99.8%): A total of 1,888.516 ETH (valued at roughly USD 2,960,000) was pushed into two high-capacity storage wallets where they remain completely stationary under the attacker's control. This provides an immediate window of opportunity for centralized exchange blocklisting and legal intervention.
• Layering & Mixing (0.2%): A minor fraction (4.4 ETH) was routed through unlabelled dispersion hubs and automated circular tumbler networks to test laundering exit paths.

2. Complete Chronological Attack Timeline

3. Detailed Inventory of Stolen Assets

4. Advanced Fund Flow & Cluster Analysis

Cross-Chain Bridge Ingestion Layer

The initial compromise siphoned user PUSD directly into the threat actor's primary Polygon deployment engine: 0xC771A30a7c1aCA828eeEF7B822ac864a64cBaAe2. To cross standard tracking perimeters, the attacker swapped the pool assets for Polygon-native USDC.e and initiated automated execution calls using the Relay.link cross-chain portal to mint native ETH on the Ethereum Mainnet.

Master Distribution and Layering Architecture

Upon reaching the Ethereum Mainnet consolidation nexus (0xe65b1c58...1EleD), the capital allocation was split across four distinct tracks to test ecosystem resistance and setup long-term holding vaults.

• Path A & B (The Master Vaults): Combined, these paths contain 99.8% of all stolen capital. The wallets show zero outbound transaction history, indicating a long-term storage strategy rather than active exit-liquidation.
• Path C (The Programmatic Tumbler): A 1.0 ETH probe was processed through a 6-tier split structure (transfers ranging from 0.04 to 0.61 ETH). Forensic analysis flagged a distinct "reverse-flow loop" pattern across 2 addresses, confirming an attempt to utilize automated mixing scripts before depositing dust into a final collection account (0x113b0cef...20bc0).

5. Comprehensive Key Address Ledger

6. Centralized Exchange Intersect & Historical Ties

While no direct cash-out attempts to centralized exchange liquidity pools have been executed from the Ethereum holding vaults, our team uncovered an essential lead within the Polygon gas supply network.

The gas funding infrastructure wallet (0x71d4249079684479f2651745fa2fcd79c9b45f53) exhibits historical transaction markers linked to institutional deposit paths at Bitfinex, Bitget, and OKX on May 30, 2026. Although these actions occurred weeks prior to the supply chain breach, they indicate a persistent operational setup. Subpoena requests targeting the historical account configurations of this gas funder at those specific exchanges represent a high-probability vector for uncovering the attacker's off-chain identity.

7. Strategic Recommendations & Immediate Action Plan

Due to the threat actor's choice to keep 99.8% of the siphoned capital entirely stationary, security networks have a critical window to enforce isolation protocols:

• Global CEX Blocklisting (Immediate): Forward the cryptographic signatures of the storage vaults (0x975268a2a71e4a7e282b962ec0blee01d3778ac0 and 0xea0a80070c38f63c10d7fed95286e83eb415441f) to all Tier-1 centralized exchanges (Binance, Coinbase, OKX, Kraken, Bitfinex). This ensures an immediate asset freeze if any deposit migration is initiated.
• Historical KYC Subpoena: Law enforcement agencies should issue immediate data preservation notices and subpoenas to Bitfinex, Bitget, and OKX to extract identification records, device fingerprints, and access IPs tied to the historical activity of the gas funding node.
• Bridge Monitoring Intercepts: Deploy persistent real-time webhooks on the Relay.link routing infrastructure to identify and automatically flag secondary wallets interacting with the same smart contract execution parameters.
• Regulatory Compliance Reporting: Coordinate with international financial intelligence agencies (such as South Korean KoFIU or global cyber divisions) to submit specific Suspicious Transaction Reports (STRs) based on the structural indicators mapped out in this report.

8. Conclusion

The Polymarket frontend breach highlights the expanding threat vector of decentralized web application dependencies on third-party software supply chains. By modifying client-side logic, the adversary easily sidestepped standard smart contract access perimeters.

However, the attacker's post-exploit strategy presents a significant operational bottleneck: by locking the overwhelming majority of the siphoned funds inside visible, un-mixed Layer-1 wallets, they have left an accessible trail. Immediate, aggressive asset blocklisting combined with legal sub-surface tracing of the historical gas funding infrastructure gives the Web3 ecosystem a highly viable pathway for attribution and recovery.

ChainBounty Threat Intelligence has locked webhooks onto all associated cluster addresses. Real-time updates will be deployed automatically if any L2 state updates occur.