On May 22, an attacker began draining Polymarket’s internal operations wallet on Polygon. The method was brutally simple: automated withdrawals of roughly 5,000 POL every 30 seconds, running like a metronome for hours. ZachXBT flagged the drain first. PeckShield confirmed it. Bubblemaps mapped the outflows in real time and told users to pause all activity.
By the time Polymarket’s team responded publicly, losses had passed $700,000.
Not a Smart Contract Bug. A Stolen Key.
The initial panic on crypto Twitter called it a smart contract exploit. It was not. Polymarket’s engineering lead clarified hours later that the attacker compromised a private key belonging to an internal operations wallet. This wallet handled rewards payouts, not user deposits or market resolution contracts.
That distinction matters. A smart contract exploit means the code is broken. A key compromise means the access control is broken. The underlying contracts functioned exactly as designed. The problem was that someone who should not have had the key, did. It is the same pattern showing up everywhere in crypto: the biggest security problem is no longer the code. It is the humans with the keys.
ZachXBT Found It Before Polymarket Did
The timeline is uncomfortable for Polymarket. ZachXBT posted the attacker’s address at 07:00 UTC. Bubblemaps confirmed the ongoing drain minutes later and warned users to stop depositing. PeckShield corroborated the data. Polymarket’s first official response came hours after that.
This is becoming a pattern with ZachXBT. The on-chain investigator consistently identifies exploits before the affected teams do. His recent exposure of LAB’s $6 billion valuation with 95% insider supply showed the same dynamic: public receipts posted faster than the project could spin the narrative.
The Money Trail Is Already Cold
Bubblemaps tracked the stolen funds across 15 wallet addresses within the first hour. Portions were routed into ChangeNOW, a swap service that converts tokens without KYC. Once funds hit ChangeNOW, tracing becomes significantly harder. The attacker was not improvising. The dispersion pattern suggests preparation.
Recovery prospects are dim. Unlike centralized platforms that can freeze accounts, Polymarket operates on Polygon where transactions are final. Some protocols have found creative solutions: Arbitrum reached into a hacker’s wallet and froze $71 million in ETH after a validator exploit earlier this month. But that required governance-level authority that Polymarket does not have over Polygon.
Polymarket’s Security History Is Getting Crowded
This is not Polymarket’s first security incident. November 2024 brought a phishing attack that cost users roughly $500,000. December 2025 saw an authentication provider hack that hit even users with two-factor authentication enabled. February 2026 featured a nonce manipulation exploit targeting trading bots. Polymarket brought in Chainalysis after a $400,000 insider bet incident in late April. That was supposed to be the start of a new security posture. Less than a month later, an ops wallet got drained for $700,000.
Polymarket processed over $25 billion in volume in March alone. $700,000 is a rounding error on that scale. But the optics are terrible. The platform just got blocked in India, is facing a Congressional insider trading probe, and now has a fourth security incident in 18 months. User funds may be safe this time. The question is how many more times users will accept that sentence before they stop depositing.
