On May 22, an attacker gained access to a years-old private key for a dormant operational wallet on Polymarket's Polygon infrastructure, draining roughly $600,000 to $700,000 in POL tokens. The breach, which targeted an internal backend wallet used by a 'refiller' service, was not a smart contract exploit — but the distinction took days to clarify.
A key that sat dormant for six years
The compromised wallet was an externally owned account (EOA), not a smart contract. It held a private key that had reportedly been inactive for about six years before the attack. The wallet was part of Polymarket's backend infrastructure, used to refill operational balances. The attacker siphoned funds in repeated transfers of roughly 5,000 POL every 30 seconds, a pattern designed to avoid triggering immediate alarms. On-chain investigator ZachXBT first flagged the suspicious activity, pointing to addresses linked to Polymarket's UMA CTF Adapter.
No user funds, but a security wake-up call
Polymarket was quick to stress that no user funds were at risk. Active markets, share-redemption flows, and core contracts remained untouched. The drained wallet was operationally adjacent to the main system but not part of the contract layer. The UMA CTF Adapter contracts — including those that had been audited — were not exploited. In response, Polymarket rotated the leaked key, revoked all associated permissions, and migrated the affected service to a Key Management Service (KMS). The company described the incident as a private key compromise, not a contract bug, correcting earlier mislabeling of the event as a contract exploit.
The trail of the stolen POL
Once the attacker gained access, they moved the stolen POL through a chain of multiple addresses and exchanges. One of the services used to cash out was ChangeNOW, a non-custodial exchange platform. The attacker's routing strategy made it harder to trace the funds in real time, though blockchain analysis tools eventually reconstructed the flow. The total haul — estimated between $600,000 and $700,000 — is modest by crypto standards but notable for the method: a dormant key that had been sitting in an operational wallet, forgotten but still active.
Polymarket's migration to a KMS is now complete, and the company says the vulnerability has been closed. But the breach highlights a persistent risk in crypto operations: old keys, left unused for years, can become a blind spot. The industry will be watching to see if any other dormant operational wallets from the same era are still connected to live systems.




