Prediction market leader Polymarket confirmed on 22 May that a compromised private key led to the drain of approximately $574,000 from an internal operations wallet on the Polygon network.
Onchain investigators including ZachXBT, Lookonchain and Bubblemaps flagged the transfers, which involved 1.24mn POL and 458,671 USDC.e, according to ZeroDriftSec.
Private key compromise detailed
Polymarket responded quickly via X. "No Polymarket or UMA contracts have been exploited. All user funds are safe, and using Polymarket.com is safe, so business as usual," said Josh Stevens, VP of Engineering at Polymarket. "We had a 6-year-old private key that was compromised. This was in the internal top-up config, which is why funds were being sent to it. We have rotated this key, revoked all prod permissions and are moving all PKs to KMS keys from now on."
ZeroDriftSec analysis confirmed the flows routed directly through the operations wallet to the attacker address), not through the UMA CTF Adapter. UMA protocol said its contracts and systems were unaffected and not exploited.
Series of security incidents
Polymarket, a leading decentralized platform where users bet cryptocurrency on real-world events such as elections, economic data and sports with transparent onchain settlement, has faced repeated security scrutiny.
- December 2025: Third-party authentication provider vulnerability led to multiple user account drains.
- February 2026: Offchain-onchain synchronization flaw allowed attackers to target market-making bots via nonce manipulation.
- April 2026: Claims of a 300,000-user data leak dismissed by Polymarket as scraped public information.
Regulatory, market context
The incident arrives as Polymarket, with a current total value locked around $441mn and peak monthly trading volumes reaching several billion dollars, pursues CFTC approval for US market re-entry and a potential $400mn fundraise at a $15bn valuation.
The broader DeFi sector has seen severe pressure in 2026, with April losses owing to exploits exceeding $600mn and May totals approaching $840mn, according to DeFi Llama. Attacks increasingly target operational infrastructure and key management rather than core smart contract bugs.