Polymarket Hit By ‘Internal Top-Up’ Wallet Exploit, $700K Drained

In brief On-chain investigator ZachXBT flagged a suspected drain from a wallet linked to Polymarket’s Polygon infrastructure Friday. Polymarket devs said an “internal top-up” wallet was drained, while user funds and market outcomes remain safe. On-chain analytics platform Bubblemaps later estimated the loss at about $700,000 across 16 addresses. On-chain investigator ZachXBT flagged a suspected drain tied to Polymarket on Friday, saying over $520,000 had been taken from addresses linked to the prediction market’s Polygon infrastructure. Polymarket developers later acknowledged the incident and said it involved an internal rewards wallet and did not affect user funds or market outcomes. “Findings point to a private key compromise of a wallet used for internal top-up operations, not contracts or core infrastructure,” the Polymarket Developers account tweeted . We’re aware of the security reports linked to rewards payout. User funds and market resolution are safe. Findings point to a private key compromise of a wallet used for internal top-up operations, not contracts or core infrastructure. More updates to follow. — Polymarket Developers (@PolymarketDevs) May 22, 2026 Over an hour after the initial disclosure, on-chain analytics platform Bubblemaps estimated the loss at about $700,000, saying the funds were split across 16 addresses and routed through centralized exchanges and other services. Prediction markets on Polymarket use contracts that record bets and pay winners after an outside service confirms the result. The wallet involved in Friday’s incident appears to have been used for rewards payments, separate from the contracts that handle user funds and market outcomes. UPDATE: ~$700k exploited • Suspected withdrawals have stopped • Polymarket said the incident was isolated and user funds are safe The stolen funds were split across 16 addresses and routed through CEXs and other services Exploiter addresses:… https://t.co/gSXWv7UywX — Bubblemaps (@bubblemaps) May 22, 2026 Operational risks Andy Yajin Zhou, associate professor at the Chinese University of Hong Kong and co-founder of on-chain security firm BlockSec, told Decrypt their initial review was consistent with the Polymarket developers’ account that the incident involved a private key compromise rather than a flaw in the platform’s core systems. “Based on our initial analysis, this does not appear to be a flaw in the adapter contract logic or prediction market infrastructure itself,” Zhou said. “At this stage, we have not identified evidence suggesting a protocol-level exploit, oracle manipulation, or a generalized vulnerability in adapter-based market infrastructure.” Incidents like this point to operational security risk, including key management, access control, signing policies, monitoring, and other safeguards around wallets used for routine operations, Zhou explained. Blockchain security firm Cyvers reached a similar conclusion, saying the incident appeared to affect operational or admin wallets, instead of Polymarket’s core contracts or its system used for settling markets, pointing to a broader industry risk around privileged wallets.  “Even when prediction market protocols are secure at the smart contract level, privileged adapter or admin wallets remain a critical attack surface if key management or operational security is compromised,” Hakan Unal, senior security operation lead at Cyvers, told Decrypt . The incident fits a broader shift in how attackers are targeting crypto projects, Dan Dadybayo, strategy lead at crypto infrastructure developer Horizontal Systems, told Decrypt . “This increasingly looks like a key management failure rather than a smart contract exploit,” Dadybayo said. “The interesting shift across crypto is that attackers are no longer primarily breaking protocols. They’re targeting the operational layers around them: admin wallets, permissions, and infrastructure.” Decrypt has reached out to Polymarket for comment and will update this article should they respond. This is a developing story. Daily Debrief Newsletter Start every day with the top news stories right now, plus original features, a podcast, videos and more. Your Email Get it! Get it!