Polymarket Confirms User Account Hacks Tied to Third-Party Vulnerability – Funds Drained Despite 2FA

Decentralized prediction market platform Polymarket acknowledged on December 25, 2025, that several user accounts were compromised due to a security vulnerability in a third-party authentication provider.

Affected users reported unauthorized logins and drained balances—despite enabling two-factor authentication (2FA) and no evidence of personal device compromise—prompting speculation on X and Reddit that the issue may involve Magic Labs, a common wallet connection service. While Polymarket has not named the provider, the incident highlights ongoing third-party risks in Web3 platforms, even for non-custodial services. No official loss figures have been disclosed, but individual reports describe significant fund withdrawals after suspicious login attempts.

Details of the Polymarket Account Hacks

Users began surfacing complaints earlier in the week:

• Common Pattern: Multiple failed login notifications followed by successful access and position closures/fund drains.
• Security Measures Intact: Victims reported clean devices, no phishing clicks, and active 2FA on linked emails.
• Example Report: One Reddit user described waking to three login attempts, then finding all Polymarket positions closed with balance near zero.
• Community Speculation: Many pointed to Magic Labs (magic.link) as the likely vulnerable third-party, given its widespread use for wallet connections.

Polymarket’s statement confirmed the third-party root cause but provided limited specifics on scope or remediation timeline.

• Platform Impact: Non-custodial nature means private keys remain user-controlled, but authentication flaws enabled session hijacking.
• No Phishing Confirmed: Suggests supply-chain or provider-level exploit.
• Response Status: Acknowledgment issued; investigation ongoing.

Why Third-Party Vulnerabilities Pose Risks to DeFi Users

Even decentralized platforms rely on external services for UX:

• Wallet Connections: Providers like Magic Labs simplify sign-in but introduce single points of failure.
• Session Management: Compromised auth tokens can bypass 2FA if not properly revoked.
• Supply-Chain Attacks: Growing threat as Web3 stacks multiple dependencies.

This incident echoes past breaches where third-party tools (e.g., Ledger Connect kit) exposed users despite strong individual security.

Implications for Polymarket and Prediction Market Users

Polymarket—known for high-volume event betting—faces reputational pressure:

• Trust Impact: Users question platform safety despite non-custodial design.
• Volume Context: Recent records (e.g., election betting) amplify visibility of issues.
• Mitigation Steps: Likely revoking sessions, forcing re-auth, and provider audits.
• Broader Lesson: Diversify auth methods and monitor connected apps.

No evidence of on-chain exploits; losses tied to account takeovers.

In summary, Polymarket’s December 25, 2025, confirmation of user account hacks via a third-party vulnerability—resulting in drained funds despite 2FA—underscores persistent supply-chain risks in Web3. With speculation centering on Magic Labs and reports of unauthorized access, the incident serves as a reminder for users to review connected services and enable advanced security options. Monitor official Polymarket channels for updates on affected accounts and resolution steps in this developing situation.