On May 22, 2026, Polymarket suffered a $600,000 fund drain after an attacker compromised a private key tied to a dormant operational wallet. The key, six years old, controlled an externally owned address (EOA) used by the platform's backend 'refiller' service — a system that manages day-to-day operational balances. Despite the theft, user funds and core smart contracts — including the UMA CTF Adapter — were untouched, and market operations or share-redemption logic saw no disruption.
The compromised wallet
The leaked key wasn't part of a smart contract exploit. Instead, it belonged to an EOA that Polymarket's backend relied on to handle routine transactional tasks. On-chain investigator ZachXBT first flagged unusual activity, estimating losses at $520,000 before they were later revised to between $600,000 and $700,000 in POL tokens. The attacker moved the stolen funds in small, regular increments — 5,000 POL every 30 seconds — likely to avoid triggering alarms.
How the money moved
Once siphoned, the funds were routed through exchanges and mixing services, including ChangeNOW, to obscure the trail. The structured, patient pattern suggests a deliberate effort to evade detection while the attacker cashed out. Polymarket's internal monitoring systems did not catch the drain in real time, though the platform has not commented on whether any alerts were triggered.
Polymarket's response
After learning of the breach, Polymarket rotated the compromised key, revoked all permissions associated with that address, and migrated the affected service to keys managed by a Key Management Service (KMS). The shift is meant to centralize and encrypt private keys, making future leaks harder to exploit even if a key is somehow exposed. The company said user funds and market integrity were never at risk, and that the refiller wallet's role was strictly limited to operational balances for the platform's internal processes.
Misidentified exploit
Early reports mistakenly blamed the UMA CTF Adapter — a contract used by Polymarket for dispute resolution — for the losses. Independent auditors later confirmed the adapter and related contracts were clean. ZachXBT's on-chain analysis helped steer the narrative toward the actual cause: a stale, exposed private key. The confusion underscores how quickly speculation can spread before forensic scrutiny is complete.
The unanswered question now is whether the leaked key was stored insecurely, shared inadvertently, or stolen through a phishing or malware attack. Polymarket has not disclosed the exact root cause of the compromise. As the investigation continues, the company's move to KMS-managed keys suggests they are prioritizing centralized key protection over the older, more manual process that left a six-year-old key — long dormant but still connected to live systems — dangling as a target.
