Polymarket Says $573K Was Moved After Internal Wallet Key Compromise

Polymarket acknowledged that roughly $573,200 was moved on Polygon on Might 22 after an outdated non-public key used for the platform’s inner operational pockets was compromised. ZachXBT was the primary to alert about uncommon fund flows associated to a Polymarket admin deal with, earlier than the corporate confirmed the incident didn’t stem from a contract exploit. Polymarket asserted that person funds stay protected, Polymarket and UMA contracts weren’t attacked, and the market decision course of was not affected.

Polymarket Confirms Inner Pockets Key Compromise

Polymarket Builders acknowledged that the platform famous safety reviews associated to rewards payouts, however asserted that person funds and the market decision course of weren’t affected. The venture acknowledged that present findings level to a compromised non-public key of a pockets used for inner operations, not a flaw in contracts or core infrastructure.

No polymarket or UMA contracts have been exploited. All person funds are protected, and utilizing https://t.co/7bOD8pgjQC is protected, so enterprise as regular.

We had a 6-year-old non-public key that was compromised. This was within the inner top-up config, which is why funds had been being despatched to it.…

— Josh (@devjoshstevens) May 22, 2026

Josh Stevens, Vice President of Engineering at Polymarket, later emphasised that no Polymarket or UMA contracts had been attacked. He mentioned the compromised non-public key had existed for about 6 years and was inside an inner configuration used to replenish the system, inflicting funds to proceed being despatched to the associated deal with whereas the incident was ongoing.

ZachXBT Flagged the Admin Handle

The preliminary warning got here from ZachXBT in his Telegram channel, when he acknowledged {that a} Polymarket admin deal with on Polygon appeared to have been compromised. At the moment, ZachXBT estimated that over $520,000 had been withdrawn and disclosed that the attacker’s pockets began with 0x8F98.

Warning put up within the channel. Supply: ZachXBT

Lookonchain later cited this warning together with Arkham data and offered an preliminary estimate of over $660,000 withdrawn. The preliminary on-chain alerts triggered the incident to be considered as a contract exploit, earlier than Polymarket confirmed the problem got here from the non-public key of the interior operational pockets.

$164K Frozen After $573.2K Was Moved

In a subsequent replace, Stevens acknowledged that Polymarket collaborated with ZachXBT, BitcoinVN, and ChangeNOW to freeze $164,000 of the funds moved from the compromised non-public key. This determine is equal to roughly 28.6% of the quantity Polymarket confirmed was moved.

With @zachxbt main the trouble alongside @Bitcoin_Vietnam and @ChangeNOW_io, we managed to freeze $164,000 of the $573,200 in funds transferred from the compromised non-public key.

Actually was a staff effort, and it was wonderful how rapidly everybody reacted. Due to everybody who… https://t.co/LW2pHZuFG7

— Josh (@devjoshstevens) May 22, 2026

The determine revealed by Stevens is decrease than the preliminary estimate of over $660,000 from Lookonchain, however increased than the extent of over $520,000 acknowledged by ZachXBT within the first warning. These ranges had been offered at completely different occasions in the course of the on-chain group’s monitoring of the fund flows.

Polymarket Rotates Key After Compromise

Following the incident, Stevens acknowledged that Polymarket rotated the affected non-public key, revoked all related manufacturing entry, and can transfer non-public key administration to KMS. These strikes had been made after the platform decided the incident stemmed from an outdated key inside inner operational processes, relatively than a contract flaw.

The transfer to KMS marks a change in how Polymarket manages keys after the incident. For crypto platforms, non-public keys tied to operational wallets or admin rights can develop into main threat factors if they continue to be in automated flows after a few years. On this case, Polymarket mentioned related manufacturing rights have been revoked, however has not but acknowledged the prior scope of authority of the affected pockets.

On the identical day, Polymarket Builders additionally introduced a scheduled upkeep, throughout which buying and selling was paused for about 5-10 minutes and shifted to post-only mode for two minutes after restarting. The venture later acknowledged that the upkeep was accomplished and buying and selling returned to regular, however didn’t make clear whether or not this upkeep was instantly associated to the non-public key incident.

What Polymarket Has But to Disclose

It at present stays unclear how the non-public key was compromised, what scope of entry this inner operational pockets held, and whether or not Polymarket can get better any additional portion of the property past the frozen quantity. Polymarket has additionally not clarified whether or not the transfer to KMS will apply to all operational keys or solely the group of keys associated to this particular incident.

A full postmortem, if revealed, may make clear which operational circulate the affected pockets was in, why a key current for a few years was nonetheless getting used, and the way new management measures will change inner processes.