An internal operations wallet linked to Polymarket’s reward payout system was drained of approximately $700,000 in POL tokens on the Polygon blockchain on May 22, according to on-chain data flagged by blockchain investigator ZachXBT. Polymarket’s engineering lead Shantikiran Chanal confirmed the incident within hours, stating that user funds and market resolution mechanisms remain unaffected and that early findings point to a private key compromise rather than a smart contract exploit.

How the Drain Unfolded

ZachXBT first flagged suspicious outflows from two addresses associated with Polymarket’s UMA Conditional Token Framework adapter on Polygon, initially estimating the loss at around $520,000. The attacker was removing approximately 5,000 POL every 30 seconds in repeated automated transfers from at least two wallet addresses, identified as 0x871D…29082 and 0xf61e…4805. Blockchain analytics firm Bubblemaps subsequently confirmed that the attacker had split the stolen funds across at least 15 separate wallet addresses, a dispersion pattern consistent with pre-planned laundering infrastructure.

Follow-up analysis from Lookonchain and CryptoTimes revised the total drained amount upward to approximately $700,000, with a portion of the funds reportedly deposited into ChangeNOW, a non-custodial exchange that does not require identity verification. The drain continued for an extended period before Polymarket’s team intervened, raising questions about the monitoring and alert systems in place for operational wallets.

Private Key Compromise, Not a Smart Contract Exploit

Polymarket’s engineering lead Shantikiran Chanal addressed the incident on X, clarifying that the team is “aware of the security reports linked to rewards payout” and that “user funds and market resolutions are safe.” Chanal stated that early findings indicate a private key compromise of a wallet used for internal top-up operations, not a vulnerability in the platform’s smart contracts or core infrastructure. The team also disclosed that it is investigating whether any other internal secrets may have been affected and is rotating backend services as a precautionary measure.

The compromised wallet served a specific administrative function within Polymarket’s UMA CTF adapter system, distributing POL token rewards to oracle proposers who participate in market resolution. Because this function operates independently from the platform’s user deposit and settlement infrastructure, the drain did not affect user USDC balances, open market positions, or the accuracy of market resolution outcomes. The UMA token experienced a 3.3 percent decline during the exploit window, dropping from $0.477 to $0.462, while POL remained essentially flat at approximately $0.092.

Operational and Reputational Implications

While user funds were not at risk, the incident highlights the security challenges that prediction market platforms face as they scale. Polymarket has grown significantly since its emergence as a major venue for event-based trading, and the platform’s reliance on administrative wallets for oracle incentive distribution creates surface area for targeted attacks. The ability to drain funds at a steady rate of 5,000 POL every 30 seconds over an extended period suggests that real-time monitoring of operational wallets may not have been configured to trigger immediate automated responses.

The incident also arrives during a period of heightened scrutiny for Polymarket. Previous investigations by ZachXBT and others have flagged wallet activity patterns suggestive of insider trading on the platform, and the prediction market sector continues to navigate an evolving regulatory landscape. The platform confirmed it is aiming to expand into regulated markets such as Japan by 2030, making operational security incidents particularly consequential for its long-term licensing ambitions.

Risks and Uncertainties

The full scope of the compromise remains under investigation. Polymarket has not disclosed how the private key was obtained, whether additional internal systems were accessed, or what specific measures are being implemented to prevent recurrence. The attacker’s use of ChangeNOW for fund dispersion reduces the likelihood of asset recovery, and the lack of immediate freeze actions by exchanges or the Polygon network means the stolen funds may already be beyond retrieval. Security analysts note that private key compromises are among the most difficult attack vectors to defend against, as they bypass all smart contract safeguards regardless of code quality.

The incident also raises broader questions about the security practices of decentralized finance platforms that maintain centralized operational components. While the separation between user funds and administrative wallets limited the damage in this case, the pattern of steady automated draining over an extended period suggests room for improvement in operational monitoring and incident response protocols.

About XT Exchange

Founded in 2018, XT Exchange is a leading global digital asset trading platform, serving over 12 million registered users across more than 200 countries and regions, with an ecosystem reach exceeding 40 million. XT Exchange supports 1,300+ tokens and 1,300+ trading pairs, offering a wide range of trading options, including spot, margin, and futures, alongside a secure RWA (Real World Assets) marketplace. Guided by the vision “Xplore Crypto, Trade with Trust,” the platform strives to provide a secure, trusted, and intuitive trading experience.

Join the XT Exchange Community: X (Twitter) | Telegram | Facebook | LinkedIn | Medium | YouTube

Disclaimer: XT Exchange reserves the right, at its sole discretion, to modify, amend, or cancel this announcement at any time for any reason without prior notice.