Polymarket Drain Funds Move Into Three Fresh ETH Wallets After Vendor Compromise

Funds tied to the Polymarket pUSD drain have moved again after the attacker converted stolen assets through Relay, bridged value from Polygon to Ethereum and consolidated proceeds into ETH.

The movement follows the vendor script drain that hit Polymarket users after a compromised third-party dependency injected malicious code into the platform frontend for some users. Polymarket contained the incident, removed the affected dependency and said impacted users would be refunded in full.

The attacker path now centers on funds that were drained from user wallets holding pUSD on Polygon, routed through swaps and bridges, then consolidated through an Ethereum address identified by onchain monitors as part of the drain trail. The latest movement does not indicate a new wave of victims by itself. It shows post-incident fund handling after the original frontend compromise.

Security monitors have linked the drain to phishing-style execution and malicious delegated activity, with users tricked into signing transactions that gave the attacker a path to move pUSD. That makes the incident a frontend and wallet-signing failure rather than a confirmed Polymarket smart-contract exploit.

ETH Now Sits Across Fresh Wallets

The attacker-linked funds now appear to be parked across three fresh Ethereum wallets holding about 1,891.9 ETH combined. The largest wallet holds about 1,788.5 ETH, while two smaller wallets hold about 100 ETH and 3.4 ETH.

The split keeps most of the value concentrated in one address while moving a smaller amount into separate wallets. That kind of structure can be used for staging, testing liquidity routes, preparing additional hops or simply separating operational balances before the next movement.

The original consolidation trail ran through 0xe65b1C586757c5510B60F998Eebb14C1eF71E1eD, while the largest fresh wallet now holds roughly 1,788.5 ETH. The other two fresh wallets hold far smaller balances and remain part of the monitoring trail rather than separate confirmed attacker clusters.

The exact final destination remains unclear. Funds can sit parked for hours or days before moving through mixers, exchanges, OTC routes, bridges or additional fresh wallets. For now, the relevant update is that the stolen pUSD proceeds have moved from Polygon-based user drains into ETH balances that can be monitored on Ethereum.

Vendor Compromise Still Drives The Incident

Polymarket’s confirmed incident remains narrower than a protocol-level failure. A compromised third-party vendor injected a malicious frontend script for some users, the affected dependency was removed, and the company said it would refund impacted users.

That distinction matters because the attack route depended on what users were shown and what they signed, not a confirmed break in Polymarket’s core contracts. It also keeps the focus on frontend dependencies, wallet prompts, delegated execution and user-signature risk across high-traffic crypto apps.

The fund movement adds to a difficult week for Polymarket. U.S. senators have already pressed the CFTC over fake-bet marketing, while the pUSD drain raised separate security questions around frontend dependencies and wallet approval flows.

The attacker-linked ETH remains parked across the three fresh wallets after the pUSD drain was routed through swaps and bridges. Polymarket has said affected users will be refunded, while onchain monitors continue tracking the ETH balances for exchange deposits, mixer interaction, bridge movement or further consolidation.

The post Polymarket Drain Funds Move Into Three Fresh ETH Wallets After Vendor Compromise appeared first on Crypto Adventure.