Polymarket's authorized user funds were stolen, with third-party "one-click login" services becoming the vulnerability

Polymarket Exploited on Christmas Eve with Funds Stolen, Vulnerability Originates from Third-Party Wallet Service Magic Labs, Highlighting Single Point of Failure Behind Web3 Convenience.
(Background recap: Leading prediction market Polymarket announces self-built L2, does this mean the end of Polygon’s flagship?)
(Additional context: How to arbitrage through Polymarket to achieve an annualized 40% return?)

The leading crypto prediction market Polymarket reports funds being stolen, with multiple users furious on X and Reddit in the early hours of December 24, claiming “account balances have been wiped out.”

The platform immediately acknowledged the security breach on its official Discord, pointing to a “third-party service provider.” On-chain tracking tools Lookonchain subsequently identified the wallet service provider Magic Labs, making this incident one of the most concerning crypto market security breaches of late 2025.

The official statement claims the issue has been fixed, but concerns remain

Less than an hour after user reports, Polymarket issued an announcement:

We have identified a vulnerability related to a third-party service provider, which has now been resolved. Only a very small number of users are affected, and we will proactively contact these users.

The announcement did not disclose the amount lost or the number of victims, but it sparked greater panic. Based on Polymarket’s platform monthly trading volume in 2025, estimated at tens of billions of dollars, even a “very small” number could mean significant losses.

Unlike common phishing attacks, no suspicious links were circulated at the time of the incident, and many victims had even enabled email 2FA. The key to bypassing defenses was not on the user side but in the backend third-party authentication.

Magic Labs Login Mechanism Became the Breach Point

To lower barriers, Polymarket introduced Magic Labs’ “Email One-Click Non-Custodial Wallet Generation.” Users do not need to manage seed phrases; they can operate Ethereum assets by sending verification codes. Attackers exploited a system vulnerability in Magic Labs’ authentication layer to gain control of wallets, rendering 2FA ineffective.

On-chain flow shows that the hacker quickly split assets and used multiple layers of mixing to complicate tracing. Although the official states “already fixed,” they have yet to respond to community requests for a full post-incident report.

Meanwhile, security firm SlowMist warns of malicious Polymarket copycat bots on GitHub, targeting advanced traders using custom trading scripts. These programs read local configuration files and secretly exfiltrate private keys, which, while not directly related to the Magic Labs vulnerability, also surfaced on the same day.