Summary
- On-chain investigator ZachXBT reported a suspected wallet drain linked to Polymarket’s Polygon infrastructure on Friday.
- According to Polymarket developers, an "internal top-up" wallet was compromised, but user funds and market outcomes are secure.
- On-chain analytics service Bubblemaps later assessed the total loss at approximately $700,000 across 16 different addresses.
On Friday, on-chain investigator ZachXBT identified a potential drain of over $520,000 from wallets associated with Polymarket, specifically related to its Polygon platform.
Polymarket developers later confirmed that this incident involved an internal rewards wallet and clarified that user funds and market results were unaffected.
“The findings indicate a private key compromise of a wallet utilized for internal top-up functions, not affecting contracts or core infrastructure,” the Polymarket Developers account tweeted.
We are aware of security reports related to rewards payouts. User funds and market resolutions remain secure.
Initial findings indicate a private key compromise of a wallet used for internal top-up functions, not impacting contracts or core infrastructure.
More updates will follow.
— Polymarket Developers (@PolymarketDevs) May 22, 2026
More than an hour post the initial report, the on-chain analytics platform Bubblemaps estimated the total loss to be around $700,000, noting that the funds were distributed across 16 addresses and funneled through centralized exchanges and other services.
Polymarket’s prediction markets operate by using contracts to document bets and rewarding winners based on results confirmed by an external service. The wallet involved in the incident appears to have been used for rewards distribution, distinct from the contracts managing user funds and market outcomes.
UPDATE: ~$700k exploited
• Suspected withdrawals have ceased
• Polymarket stated the incident was isolated and user funds are secureThe stolen funds were divided across 16 addresses and routed through CEXs and other services
Exploiter addresses:… https://t.co/gSXWv7UywX
— Bubblemaps (@bubblemaps) May 22, 2026
Operational Security Concerns
Andy Yajin Zhou, an associate professor at the Chinese University of Hong Kong and co-founder of blockchain security firm BlockSec, informed Decrypt that their preliminary assessment aligns with Polymarket's developers' claims, indicating that the issue stemmed from a private key compromise rather than a flaw in the platform’s primary systems.
“Our initial analysis suggests this does not represent a flaw in the adapter contract logic or the prediction market infrastructure itself,” Zhou stated. “So far, we have not found evidence of a protocol-level exploit, oracle manipulation, or a general vulnerability in adapter-based market infrastructure.”
Such incidents underscore the operational security risks, including key management, access control, signing processes, monitoring, and other protective measures related to wallets used for routine operations, Zhou elaborated.
Blockchain security firm Cyvers reached similar conclusions, indicating that the issue appeared to involve operational or administrative wallets rather than Polymarket’s core contracts or the system utilized for market settlements. They highlighted a wider industry risk concerning privileged wallets.
“Even if prediction market protocols are secure at the smart contract level, privileged adapter or admin wallets present a significant attack surface if key management or operational security is compromised,” Hakan Unal, senior security operation lead at Cyvers, shared with Decrypt.
The incident reflects a broader trend in how attackers are targeting cryptocurrency projects, according to Dan Dadybayo, strategy lead at crypto infrastructure developer Horizontal Systems, who told Decrypt that, “This increasingly appears to be a failure in key management rather than an exploit of smart contracts. The notable shift in the crypto landscape is that attackers are now focusing on the operational layers surrounding protocols: admin wallets, permissions, and infrastructure.”
Decrypt has reached out to Polymarket for further comments and will update this article as necessary. This is a developing situation.