Polymarket Security Breach: Attacker Drains Internal Wallet

Polymarket suffered a security breach on May 22, 2026, after an attacker compromised a private key tied to an internal operations wallet and drained approximately $700,000 in POL tokens. The prediction market platform confirmed that user funds and core smart contracts were not affected.

What to Know

• The breach targeted an internal “top-up” wallet used for rewards distribution, not user accounts or Polymarket’s core smart contracts. A 6-year-old private key was compromised, allowing the attacker to siphon POL tokens across 16 addresses.
• User funds are confirmed safe. Polymarket has rotated the compromised key, revoked all production permissions, and is migrating all private keys to KMS (Key Management Service) infrastructure.

What Happened: Polymarket’s Internal Wallet Compromised

On-chain investigator ZachXBT first flagged the exploit on May 22, with initial losses estimated at $520,000 drained from two Polygon smart contracts linked to Polymarket’s UMA CTF Adapter system. The two affected contracts, 0x871D…9082 and 0x9143…E5c5, were tied to the platform’s rewards payout infrastructure.

The total estimated loss ultimately reached approximately $700,000 in POL tokens, according to Decrypt. The attacker dispersed the stolen funds across 16 addresses to complicate tracing and recovery efforts.

Total Funds Drained

~$700,000

POL tokens stolen from Polymarket internal ops wallet — May 22, 2026. Source: Decrypt

Polymarket VP of Engineering Josh Stevens confirmed that the breach stemmed from a 6-year-old private key: “We had a 6-year-old private key that was compromised. This was in the internal top-up config… We have rotated this key, revoked all prod permissions and are moving all PKs to KMS keys from now on.”

The attacker’s wallet, 0x8F98…9B91, methodically drained POL tokens from the two contracts. The incident underscores a pattern seen across DeFi platforms where backend operational security lags behind smart contract security, even as protocols invest heavily in on-chain code audits.

What This Means for Polymarket Users and Funds

Polygon Labs CTO Mudit Gupta moved quickly to reassure users, confirming on X that the exploit was limited to a market initializer compromise with no impact on user funds or contracts.

Polymarket contracts are safe. User funds are safe.

Looks like their market initializer was compromised. No impact to the users or the contracts. https://t.co/nvR82cY6SN

— Mudit Gupta (@Mudit__Gupta) May 22, 2026

Source: @Mudit__Gupta on X

ZachXBT, BitcoinVN, and ChangeNOW coordinated to freeze approximately $164,000 of the stolen funds. The recovery effort represents roughly 23% of total losses, with the remainder still dispersed across the attacker’s wallet network.

The UMA token, which underpins Polymarket’s oracle resolution system, fell 3.3% during the exploit window, dropping from $0.477 to $0.462 between 07:00 and 09:00 UTC on May 22. The sell-off was brief, and broader crypto markets were already under pressure with the Fear & Greed Index at 28, firmly in “Fear” territory.

UMA Price Drop — Exploit Window

-3.3%

$0.477 → $0.462 between 07:00–09:00 UTC on May 22, 2026. Source: CryptoTimes

Hakan Unal, Senior Security Operations Lead at Cyvers, underscored the systemic risk: “Even when prediction market protocols are secure at the smart contract level, privileged adapter or admin wallets remain a critical attack surface if key management or operational security is compromised.”

The breach also carries regulatory implications. Polymarket reached a settlement with the CFTC in January 2022, paying $1.4 million and agreeing to block U.S. users. A high-profile internal wallet compromise could attract renewed scrutiny over operational security standards at prediction market platforms, particularly as lawmakers continue to shape crypto-related fintech policy in the U.S.

For now, Polymarket’s core prediction markets remain operational. The platform’s migration to KMS-based key management would address the root cause. But the incident is a reminder that operational security failures in backend infrastructure can be just as damaging as smart contract vulnerabilities, even as the industry moves toward institutional-grade security standards.

Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency and digital asset markets carry significant risk. Always do your own research before making decisions.