Some users of the Polymarket prediction market app are complaining that their wallets were mysteriously drained after they logged in via their Google accounts.
After making deposits, users found that their wallets were wiped out, leaving a balance of zero. The attacks have not occurred against users that relied on wallet browser extensions such as MetaMask or Trustwallet.
Cointelegraph spoke to two victims of the attacks. The first victim identified himself by the Discord username, “HHeego,” and claimed to be the owner of a Polymarket account whose address ends in C3d4.
HHeego claimed that he deposited $1,085.80 in USD Coin from Binance to Polymarket on Aug. 5. However, after hours of waiting, the deposit did not show up in his account within the Polymarket app.
Believing something was wrong with his account, HHeego joined the Polymarket Discord server in an attempt to get help. He found that many other users were having similar problems, and it seemed to be connected to a user interface issue. This made him feel relieved, so he stopped worrying about it.
Later that day, the deposit appeared on the user interface. However, he stated that it “vanished almost as quickly as it had come.” In fact, he claimed that his entire USDC balance of $1,188.72 disappeared. This balance included $102.92 that had been in the account before the deposit was made, as well as the deposit itself.
Strangely, HHeego’s $2,000 worth of open trades remained untouched.
HHeego seeks help from Polymarket
HHeego inspected his account history using the Polygonscan block explorer and found that his USDC balance had been sent to an account labeled “Fake_Phishing399064.”
He then submitted a ticket to customer support. When the customer support agent heard the user’s story, he expressed incredulity. “Haven’t you withdrawn that amount?” he asked. “No i havent,” the user replied. “Are you sure it wasn’t you then?” the agent asked. “I am 100% sure,” the user replied.
In the image below, Cointelegraph has redacted the agent’s screen name to protect his privacy.
The agent asked HHeego if “your PK got leaked or you got phished somehow.” The user, who claims to be a newcomer to the crypto world, told Cointelegraph that he did not at first understand what the agent meant by a “PK leak.” HHeego stated that he has never used a browser extension wallet and has only ever used a Google login to access Polymarket.
After asking a few more questions, the agent told him that the team was investigating the anomaly and would contact him when they discovered more information.
Another $4,000 gets swiped
Believing that the wallet drain was some kind of “glitch” that would eventually be worked out, HHeego deposited an additional $4,111.31 on Aug. 11. As before, the “fake phishing” account drained all of the funds, bringing the user’s total losses to $5,197.11.
At this point, the user became convinced that his Polymarket account was hacked. He closed all of his trades, amounting to nearly $1,000 in funds, and withdrew his balance to his Binance account. The proceeds from these trades were not touched by the attacker, and the withdrawal was successful.
After retrieving his funds, HHeego contacted customer service again. This time, the customer service agent told him that his account was compromised and he should stop using it. According to the user, the agent also told him “they are close to understanding 100% what has happened.”
He received one last message from customer service on Aug. 15. In this message, the agent stated that the attack was “a complex situation” and that the team wanted to have all of the details before communicating its next steps. The agent then referred HHeego to another team member.
HHeego claimed that he did not receive any further information from the Polymarket team after August 15.
Blockchain data confirms many aspects of HHeego’s story. The account was drained of $1,188.72 USDC through a “proxy” function call on Aug. 5. On Aug. 11, an additional $4,111.31 was removed from the account. In both cases, the function was called by an externally owned account whose address ends in b3E5, and the funds were sent to a known phishing account. HHeego stated that he does not own nor control the account ending in b3E5.
On Aug. 12, HHeego’s account transferred approximately $1,000 to a Binance deposit address through multiple transactions. These transactions, which the user stated were legitimate, called the “Relay Call” function instead of proxy.
Second victim
The second victim went by the Discord username “Cryptomaniac.” According to him, he deposited $745 on Aug. 9. A few hours after making the deposit, the funds were swept from his account and sent to Fake_Phishing399064.
Cryptomaniac contacted customer service and asked for help. At first, customer service attempted to help him. However, they eventually stopped communicating without the issue being resolved. He stated:
“At first, they helped me. They tried to check for some errors and stuff, but after weeks and months passed […] it’s been one month already, they stopped looking into it. Then when I messaged them, they didn’t reply.”
Cryptomaniac provided a screenshot of one of the statements he received from customer service. In it, the agent appears to inform him that the team has “seen the exploit 5 times so far,” indicating that at least three other victims exist.
The team member claims that the attacker is using “email otp” to login to victims’ accounts and lists the IP address used for the attack. The agent asks Cryptomaniac to pull his browser history from Aug. 2 to Aug. 4. According to Cryptomaniac, he was unable to comply with this request because he had already cleared his browser history, which he claims he was told to do by a previous Polymarket customer service rep.
Blockchain data confirms that Cryptomaniac’s account was drained of $745 USDC through a proxy function call and sent to the exact same Fake_Phishing account that the previous victim’s funds were sent to.
How Google logins work on Polymarket
According to an old version of Polymarket documents, it uses the Magic software development kit (SDK) from Magic Labs to allow for passwordless, seedless logins. This is why users can log into the app without needing to download a standard Web3 wallet such as Metamask or Coinbase Wallet.
The Magic documents go into greater detail as to how this system works. According to it, users generate a “user master key” when they first sign up for an integrated service such as Polymarket. This master key can be used to decrypt another encrypted key stored on the user’s device.
The master key is stored on an Amazon Web Services (AWS) hardware security module. This means that an attacker should not be able to initiate a transaction on Polymarket without first authenticating with the AWS server.
In the case of a Google login, an attacker should not be able to authenticate without gaining access to the user’s Google account. Both victims claimed that they saw no evidence of anyone having gained access to their Google accounts.
The message to Cryptomaniac cited above stated that the attacker used “Email OTP [one time password]” to authenticate with the server. This implies that the attacker must have gained access to the victims’ email accounts. However, both victims claimed they never used an email address to access the platform.
None of the victims used wallet extensions to access the platform. So it appears that the exploit may only work against newer login method types such as Oauth or email OTP.
According to reports from victims, Polymarket has claimed that the attacks are only occurring against a few users and are not widespread.
Cointelegraph contacted both the Polymarket and Magic Labs teams through their official Discord servers but did not receive a response by the time of publication.
Wallet vulnerabilities are a common way for Web3 users to lose crypto. In August, researchers uncovered a method called “Dark Skippy” that could be used to steal Bitcoin from hardware wallets using a supply chain attack.
In March, cybersecurity research firm SECBIT Labs disclosed an old Trustwallet vulnerability that allowed an attacker to guess a user’s seed words. This vulnerability was patched, but the researchers stated that the flaw may still affect some accounts.