On May 22, 2026, a roughly six-year-old dormant operational wallet tied to Polymarket was drained after an attacker obtained its private key. The loss totaled between $600,000 and $700,000, mostly in POL tokens. No smart contract was exploited, and active prediction markets were untouched.
What went wrong
The compromised wallet was an externally owned address (EOA) used by a backend refiller service — not a smart contract. On-chain investigator ZachXBT flagged the suspicious activity first, initially estimating the loss at $520,000. The attacker moved funds in automated transfers of about 5,000 POL every 30 seconds, aiming to avoid detection. The stolen tokens were then routed through exchanges and mixing services, including ChangeNOW.
How Polymarket responded
Polymarket’s team quickly rotated the leaked key, revoked permissions from the compromised address, and migrated the service to a Key Management Service (KMS). Product lead Mustafa Aljadery and Polygon CTO Mudit Gupta confirmed that no CTF contract was exploited and that user funds were never at risk. Active markets, share-redemption logic, the UMA resolution path, and core Polymarket contracts all remained unaffected.
Why the confusion
Social media initially mislabeled the incident as an exploit, but the facts show it was a key compromise. The private key was around six years old and had been dormant for a long time. That old key, when finally used, gave the attacker direct access to the refiller wallet. No contract bugs were involved.
The incident is a reminder that even dormant keys can become liabilities. Polymarket’s shift to a KMS should prevent similar issues going forward. For now, the company is focused on recovering what it can and ensuring its operations stay clean.
