A six-year-old private key gave an attacker access to a dormant Polymarket operational wallet on May 22, 2026, leading to the drain of roughly $600,000 in POL tokens. The incident did not affect user funds or active markets, and the platform’s core contracts remained untouched.
How the attacker moved the cash
The compromised wallet was an externally owned account (EOA) used by Polymarket’s backend “refiller” service — not a smart contract. Once inside, the attacker withdrew about 5,000 POL every 30 seconds, routing the stolen tokens through exchanges and mixing services like ChangeNOW before the flow was stopped.
Why only the treasury took the hit
Polymarket confirmed that the UMA CTF Adapter (0x6A9D2226…), which had been audited by OpenZeppelin, and all related contracts stayed secure. The loss was limited to the operational treasury; no market positions or user balances were ever at risk. The exploit was not a code vulnerability but a key management failure.
The response and the key change
Once on-chain investigator ZachXBT flagged the suspicious activity — early estimates put the loss at $520,000 before it climbed to $600,000–$700,000 — Polymarket rotated the leaked private key, revoked all permissions tied to it, and migrated the service to KMS-managed keys. That stopped the drain cold.
The stolen POL has not been recovered, and the attacker remains unidentified. Polymarket has not disclosed whether law enforcement has been contacted.
