On-chain investigator ZachXBT flagged a suspected private key compromise on May 22 that drained roughly $600,000 from a Polymarket-linked address on Polygon, with the attacker pulling about 5,000 POL every 20 to 30 seconds before keys were rotated. Polymarket VP of engineering Josh Stevens later confirmed the source was a six-year-old private key tied to an internal top-up wallet, not the platform's smart contracts and not customer balances. The distinction matters because how a drain happens decides who the next victim is, and right now the threat model is pointing at individual users rather than protocol teams.
This is not a Polymarket protocol exploit. It is an account-level key compromise that maps directly onto how every self-custody user on Polygon holds funds, which is exactly why the incident is worth reading carefully.
What ZachXBT Flagged and What the On-Chain Trail Actually Shows
ZachXBT's first public alert on May 22 pointed at the UMA CTF Adapter contract on Polygon, the contract Polymarket uses with UMA's optimistic oracle to settle markets. Initial reporting pegged the loss at around $520,000 in POL and USDC.e, and within hours the figure climbed past $600,000 as automated withdrawals kept clearing the address in tight 20 to 30 second cycles.
The mechanical pattern is the giveaway. Human attackers do not move funds in identical batches every 20 seconds for hours. Scripts do. A scripted drain at that cadence means the attacker already had signing authority and was just sweeping balances as they arrived, which is the signature of a private key leak rather than a logic bug in the contract itself.
Polymarket's engineering response, posted within hours of the initial flag, said the contracts were untouched and the compromise was limited to a wallet used for routine top-ups of operational balances. CoinDesk's reporting confirmed user funds were not affected. CryptoSlate's follow-up added the detail that the leaked key was approximately six years old, predating most of Polymarket's current security architecture.
ZachXBT is an independent on-chain investigator, not law enforcement and not a Polymarket employee. His role is reading transaction patterns in real time and putting a name on suspicious activity before the affected platform issues a statement. That speed is the value. It is also why investigations like this one stay labeled "suspected" until the platform formally confirms the cause, which Polymarket did roughly five hours after the initial alert.
How Polymarket Account Custody Actually Works
Most people picture Polymarket as a centralized prediction market with an exchange-style account. The reality is closer to an onchain DEX wearing a clean UI.
Every Polymarket user has a self-custody externally owned account on Polygon, the same kind of EOA that controls a MetaMask wallet. Deposits move USDC.e from an Ethereum or Polygon address into that EOA. Bets are signed transactions to the UMA CTF Adapter contract. Withdrawals are signed transactions back out. The Polymarket frontend abstracts the signing away through embedded wallet flows, but the underlying account is yours and the private key is yours.
That is what makes the May 22 incident structurally identical to thousands of smaller account drains that happen on Polygon every month. Polymarket's internal top-up wallet was an EOA holding operational POL and USDC.e. Once the private key leaked, the attacker had the same permission level Polymarket itself had over that address. No contract exploit was required because the contract did exactly what it was designed to do, which was honor signed transactions from the address that held the funds.
The reason this matters for users is that high-value Polymarket positions sit in the same kind of account, signed by the same kind of key. If a six-year-old operational key inside the Polymarket org can leak, every assumption about your own key hygiene needs to be checked against the same threat model.
The Self-Custody Implications for High-Value Polymarket Users
Polymarket's largest accounts are visible. Wallet addresses linked to seven and eight figure positions on the 2024 US election cycle were doxed publicly during peak volume, and a chunk of those addresses still hold meaningful balances. Anyone with basic chain analysis tools can build a list of high-value EOAs in under an hour. Attackers have the same list.
The targeting pattern across 2025 and into 2026 has been consistent. Phishing kits impersonate Polymarket's email and UI, fake browser extensions intercept signing requests, and credential stuffing against the email address tied to the embedded wallet keeps generating fresh victims every week. The drain itself is usually one transaction, one signature, gone before the user opens their phone.
|
Account type
|
Custody model
|
Realistic threat
|
|
Polymarket position via embedded wallet
|
Self-custody EOA, key managed by app
|
Phishing, malicious browser extension, device compromise
|
|
Polymarket position via external wallet (MetaMask)
|
Self-custody EOA, key managed by user
|
Seed phrase leak, signing approval abuse, fake dApp prompts
|
|
Polymarket internal operational wallet
|
Org-managed EOA
|
Stale key, insider access, infrastructure leak (the May 22 case)
|
The honest read is that an attacker who gets your Polygon private key gets your Polymarket position, your USDC.e balance, and any other token sitting in that address. There is no Polymarket support line that will reverse a signed transaction. There is no Polygon equivalent of FDIC insurance. The platform's contracts behaved correctly during the May 22 incident, which means the platform has no recourse against an attacker who behaves "correctly" against your address either.
What to Check on Your Polymarket Account Right Now
Three checks are worth running in the next ten minutes regardless of position size.
Confirm the email tied to your embedded wallet has unique credentials and 2FA. A reused password from a 2019 breach is the most common single failure point on Polygon EOAs, and the hygiene baseline has not changed in five years. Run the full 13-point checklist on the security article you already saw linked above before moving on.
Review token approvals on your Polymarket address. Open a Polygon explorer and check the approval list for any contract you do not recognize, then revoke anything you cannot identify. Old approvals from forgotten dApps sit on most active wallets as a silent attack surface that nobody audits until something already moved.
Move any position size you would not want to lose to a hardware wallet signing flow. Polymarket can be used with an external wallet rather than the default embedded one, and the friction is real. The tradeoff is that a hardware wallet requires physical confirmation per signature, which neutralizes the entire class of remote key compromise that hit Polymarket's internal address.
For accounts holding more than a few thousand dollars, treat the embedded wallet as a hot wallet and route serious size through a hardware-signed wallet. That is the same separation any self-custody guide for spot or DeFi positions recommends, and there is no reason a prediction market position should be held to a lower standard.
Frequently Asked Questions
Was the May 22 Polymarket incident a smart contract hack?
No, and the distinction is important for understanding the broader risk. Polymarket and ZachXBT both confirmed the UMA CTF Adapter contract behaved as designed, and the compromise was a private key tied to an internal operational wallet rather than a flaw in the contract code or the oracle logic.
Are Polymarket user funds at risk right now?
User funds in personal Polymarket accounts were not affected by the May 22 drain. The compromised wallet was an internal Polymarket address. Each user's own EOA is independently secured, which also means each user is independently responsible for the key.
How do attackers usually steal Polymarket account funds?
The dominant vectors are phishing pages that mimic the Polymarket login, malicious browser extensions that hijack signing prompts, and seed phrase leaks from screenshots, cloud backups, or password manager breaches. Direct contract exploits against personal accounts are rare because the contracts hold no user-specific permissions.
Is the loss of $600,000 final?
Polymarket rotated the compromised keys within hours and the active drain stopped. Recovery of the stolen POL and USDC.e is unlikely without law enforcement action against the wallet holder, and onchain assets sent to a self-custody address are not recoverable by the platform itself.
Bottom Line
The Polymarket incident is a high-profile reminder that the weakest link in any Polygon position is the private key, not the protocol. ZachXBT flagged a $600,000 internal wallet drain, Polymarket confirmed a six-year-old operational key as the cause, and the attacker walked because the contracts did exactly what signed transactions told them to do. The same threat model sits on every user's account, which is why the next 24 hours are the right window to revoke unknown approvals, rotate any reused credentials tied to the embedded wallet, and move serious size to a hardware-signed flow. The platform did its part by rotating the leaked key in under five hours. The user side of that work is still yours.
This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency trading involves substantial risk. Always conduct your own research before making trading decisions.
