Polymarket Users Targeted in Mysterious Google Login Wallet Attacks
Victims report drained USDC balances after using Google login, while Polymarket investigates a potentially targeted exploit.
Several users of the Polymarket prediction market app have reported that their wallets were mysteriously drained after logging in via Google accounts, sparking concerns of a targeted exploit affecting a subset of users. The attack, which seems to involve a “proxy” function, has only impacted a small number of users who accessed Polymarket through Google login, with wallet browser extension users like MetaMask or TrustWallet unaffected.
One of the victims, known by the Discord username “HHeego,” shared his troubling experience with Cointelegraph. After depositing $1,085.80 in USD Coin (USDC) from Binance to Polymarket on August 5, the deposit failed to appear in his account. Hours later, the funds showed up, only to vanish almost immediately, draining his total balance of $1,188.72, which included $102.92 from previous deposits.
Upon investigating via the Polygonscan block explorer, HHeego discovered that his USDC balance had been transferred to an account labeled “Fake_Phishing399064.” Despite having $2,000 in open trades untouched by the attacker, the user’s attempts to resolve the issue with Polymarket customer support were met with initial skepticism. Support staff speculated about a possible phishing attack or private key leak, terms that were unfamiliar to HHeego, a newcomer to cryptocurrency.
Believing the problem to be a temporary glitch, HHeego deposited an additional $4,111.31 on August 11, only for the funds to be siphoned off once again to the same phishing address. His total losses amounted to $5,197.11. After withdrawing his remaining funds from closed trades, HHeego contacted customer support again, where he was told that his account had likely been compromised. The Polymarket team indicated they were investigating the issue but provided no further updates after August 15.
Blockchain data corroborates much of HHeego’s story, showing that $1,188.72 and $4,111.31 were drained from his account via a proxy function call, sending the funds to a known phishing account. HHeego’s legitimate trades and withdrawals were executed without interference, adding another layer of complexity to the attack.
Another victim, identified as “Cryptomaniac” on Discord, reported a similar experience. He deposited $745 on August 9, only to have the funds drained hours later. Like HHeego, the funds were sent to the same phishing account, and despite initial help from customer support, communication eventually ceased without a resolution.
A screenshot provided by Cryptomaniac revealed that Polymarket had identified five instances of this exploit, suggesting that other victims may exist. According to customer service, the attacker allegedly used an "email OTP" (one-time password) to gain access, though both victims deny having ever used an email address to log into Polymarket.
The attacks seem to only affect users who logged in via Google, raising concerns that the login method might be vulnerable. Polymarket uses the Magic SDK from Magic Labs to enable passwordless logins, relying on a user’s master key stored on an Amazon Web Services (AWS) hardware security module. In theory, this setup should prevent unauthorized transactions unless an attacker gains access to the user’s Google account or email authentication.
However, both victims claimed that their Google accounts showed no signs of unauthorized access. Polymarket has assured users that the issue only affects a small number of accounts and is not widespread, but the exact nature of the exploit remains unclear as investigations continue.
As the community waits for further clarification from Polymarket, affected users are left grappling with the losses and uncertainty over their account security. For now, the issue highlights potential vulnerabilities in alternative login methods in the fast-evolving world of decentralized finance.
photo source / Blockonome
Comments