Polymarket admits that user funds have been stolen, and "one-click login" third-party services have become a vulnerability
Polymarket reported that funds were stolen on Christmas Eve. The vulnerability originated from the third-party wallet service Magic Labs, highlighting the single point of risk behind the convenience of Web3.
(Preliminary briefing: Polymarket, the leader in the prediction market, announced that it will build its own L2. Is Polygon’s trump card gone? )
(Background supplement: How to achieve 40% annualized income through Polymarket arbitrage? )
Polymarket, the leader in the crypto prediction market, reported that funds were stolen, and many users were furious on X and Reddit in the early morning of December 24 that "the account balance was emptied."
The platform immediately admitted the security flaw in the official Discord and pointed it to a "third-party service provider." The on-chain tracking tool Lookonchain subsequently targeted wallet service provider Magic Labs, making this incident the most high-profile security breach in the crypto market in late 2025.
Officially said it has been fixed, but some people are still worried
Less than an hour after the user broke the news, Polymarket issued an announcement:
We found a vulnerability related to a third-party service provider, which has been fixed. Only a very small number of users are affected, and we will proactively contact these users.
The announcement did not disclose the amount of losses or the number of victims, but it caused greater panic. According to Polymarket’s platform’s single-month transaction volume in 2025, it is estimated that it will be billions of dollars every month. Even a “very small number” may result in high losses.
Unlike common phishing attacks, no suspicious links were circulating at the time of the incident, and many victims even enabled email 2FA. The key to bypassing the defense line is not on the user side, but on the third-party authentication in the background.
Magic Labs login mechanism has become a loophole
To lower the threshold, Polymarket introduced Magic Labs’ “Email one-click non-custodial wallet generation”. Users do not need to keep the mnemonic words and can operate Ethereum assets by sending verification codes. However, the attacker directly exploits the system vulnerability in the Magic Labs authentication layer to gain control of the wallet, and 2FA is equivalent to invalid.
The current flow on the chain shows that the hacker address split the assets in a short period of time and mixed the coins through multiple layers, making it more difficult to trace. Although the official said it "has been repaired," it has not yet responded to the community's request for a complete post-incident report.
At the same time, security company SlowMist warned GitHub of the emergence of malicious Polymarket copy robots, specifically targeting advanced players who build their own trading scripts. This program reads the local configuration file and secretly sends the private key. Although it is not directly related to the Magic Labs vulnerability, it broke out on the same day.
