Polymarket Users' Wallets Wiped Out After Making Deposits

Users of the Polymarket prediction market app are experiencing unauthorised draining of their wallets after logging in through their Google accounts.

Following deposits, these users found their wallets emptied, with balances reduced to zero.

🚨A small number of #Polymarket users have reported that their accounts logged in via Google have been attacked, resulting in stolen USDC balances. The attackers exploited a “proxy” feature to steal funds, but only a limited number of Google login users were affected. Users with… pic.twitter.com/cSecBqWLEW

— PandaLY (@pandaly520) September 30, 2024

It is important to note that this issue has not affected users who use wallet browser extensions like MetaMask or TrustWallet.

Suspicious Activity on First Victim's Account

The first identified victim, known by the Discord username "HHeego," reported issues with his Polymarket account linked to an address ending in C3d4.

On 5 August, HHeego deposited $1,085.80 in USD Coin (USDC) from Binance into Polymarket but noticed hours later that the deposit had not appeared in his account.

Seeking assistance, he joined the Polymarket Discord and discovered that other users were experiencing similar delays, which alleviated his initial concerns.

Eventually, the deposit was reflected in the interface, but it "vanished almost as quickly as it had come," leading to a total loss of his USDC balance, which amounted to $1,188.72, including a prior balance of $102.92.

Interestingly, his $2,000 in open trades remained intact.

Screenshot of conversation with customer service agent by HHeego

Investigating further, HHeego used the Polygonscan block explorer and found that his drained USDC had been sent to an account named "Fake_Phishing399064.”

When he contacted customer support, an agent inquired whether his private key had been compromised.

As a newcomer to the crypto space, HHeego initially did not understand the term "PK leak.”

He confirmed he had never used a browser extension wallet, only logging into Polymarket via Google.

The agent assured him that the team was looking into the situation and would follow up with more information.

Despite his initial belief that the issue was a temporary glitch, HHeego deposited an additional $4,111.31 on 11 August, only to have those funds drained as well, totaling his losses to $5,197.11.

Realising his account had likely been hacked, he closed all trades, successfully withdrew nearly $1,000, and transferred the funds to his Binance account.

Upon contacting customer service again, HHeego was informed that his account had indeed been compromised.

The agent indicated they were close to understanding the situation and promised to keep him updated.

However, the last communication he received was on 15 August, where the agent described the attack as "a complex situation" and referred him to another team member.

Since then, HHeego has received no further updates.

HHeego's reported last customer service message from Polymarket

Blockchain data corroborates his account: $1,188.72 in USDC was drained via a "proxy" function on 5 August, and an additional $4,111.31 was taken on 11 August, both transfers executed by an externally owned account ending in b3E5, which is known for phishing.

HHeego confirmed he does not own or control that account.

On 12 August, approximately $1,000 was transferred to a Binance deposit address through legitimate transactions using the "Relay Call" function instead of the proxy.

Second Victim's Loss is Much Lesser Than the First

The second victim, identified by the Discord username "Cryptomaniac," reported a troubling incident involving a $745 deposit made on 9 August.

🔒 تعرض بعض مستخدمي Polymarket لاختراق محافظهم بعد تسجيل الدخول باستخدام Google، حيث تم استنزاف أموالهم بطرق احتيالية. 📉 يجب توخي الحذر واستخدام إضافات محافظ آمنة مثل MetaMask لتجنب هذه الهجمات. #أمان_العملات_الرقمية #CyberSecurity #CryptoSafety #Polymarket pic.twitter.com/dFMls3nAP1

— BANDR ALOTAIBI 🇸🇦 (@bandr283) September 29, 2024

Just hours after the deposit, his funds were swiftly drained and transferred to an account labeled Fake_Phishing399064.

Seeking assistance, Cryptomaniac reached out to customer service, who initially engaged with him but eventually ceased communication without resolving the issue.

He stated:

“At first, they helped me. They tried to check for some errors and stuff, but after weeks and months passed [...] it's been one month already, they stopped looking into it. Then when I messaged them, they didn't reply.”

He shared a screenshot of a statement from the customer service team, which indicated that they had identified the exploit in at least five cases, suggesting the presence of other victims.

The agent informed him that the attacker was utilising "email OTP" to gain access to victims' accounts and provided the IP address linked to the attack.

They also requested Cryptomaniac to retrieve his browser history from 2 to 4 August; however, he was unable to do so as he had previously cleared his history, following advice from another Polymarket representative.

Message to Cryptomaniac from Polymarket representative.

Blockchain evidence corroborates that Cryptomaniac's account was indeed drained of $745 USDC via a proxy function call, with the funds sent to the same phishing account as the first victim.

Notably, none of the victims accessed the platform through wallet extensions, raising concerns that this exploit specifically targets newer login methods like OAuth or email OTP.

Despite these incidents, Polymarket has maintained that the attacks are limited to a few users and not widespread.