A suspected phishing attack targeting Polymarket users has drained an estimated $2.94 million from at least 11 victim wallets holding pUSD. The stolen assets were swapped into ETH and consolidated through the address 0xe65b1C586757c5510B60F998Eebb14C1eF71E1eD.
The incident has not been confirmed as a Polymarket protocol exploit. The available onchain trail points to a user-side phishing or wallet-drainer campaign, where victims appear to have lost funds after interacting with malicious links, signatures or approvals tied to pUSD balances.
Other theft addresses identified in the alert include 0xC771A30a7c1aCA828eeEF7B822ac864a64cBaAe2, 0xC44F2Ca6B30A54d17a62ceF8FAdaF2e8C8632eC4, 0x10366AdBB5C4101A65C840Da6639546179C5A107 and 0x7BCECe0d8fd92ECCf39Bc35242c6D9aAc0aA75A6.
pUSD is Polymarket’s dollar-denominated trading collateral on Polygon. That makes it a direct target for phishing campaigns because users may hold idle balances, active trading funds or recently migrated balances inside wallets connected to prediction-market activity.
The attacker drained pUSD from victim wallets, swapped the stolen assets into ETH and moved the proceeds toward a central consolidation address. That pattern is common in wallet-drainer campaigns, where attackers try to convert stolen tokens into deeper liquidity assets before routing funds through additional wallets, bridges or exchanges.
The active risk is approval and signature abuse. A phishing page can ask users to connect a wallet, approve pUSD spending or sign a transaction that looks like a normal account action. Once the permission is granted, the attacker can move tokens without needing the user’s private key.
The suspected drain lands as Polymarket expands across more interfaces and user environments. A recent Polymarket-powered launch brought prediction markets into TON wallets, showing how the platform’s liquidity can spread across different distribution channels.
That wider reach can also give attackers more surfaces to imitate. Fake migration prompts, fake reward campaigns, fake market tools and fake account-warning pages can all be used to push users toward malicious approvals.
The reported phishing campaign adds a wallet-security issue to a period already filled with Polymarket-related scrutiny. The platform recently faced questions around CMO payments, while another report raised concerns over fake-win videos used to attract U.S. users.
The latest incident is different. It is not about marketing controls, prediction-market legality or trade settlement. It is about user-wallet security around pUSD, malicious approvals and whether traders can distinguish official Polymarket flows from fake pages built to drain balances.
No confirmed recovery process, attacker identity, official Polymarket statement or exploit postmortem had been published at the time of writing. Users with pUSD exposure should review recent approvals, avoid unofficial links and treat any urgent migration, claim, bonus or account-verification prompt as suspicious unless it comes through verified Polymarket channels.
The monitor-flagged loss estimate now stands near $2.94 million across 11 or more victim wallets. The main consolidation address remains 0xe65b1C586757c5510B60F998Eebb14C1eF71E1eD, while the reported theft addresses remain part of the active onchain trail.
The post Polymarket Users Hit By Suspected $2.94M pUSD Phishing Drain appeared first on Crypto Adventure.
