Polymarket stated that approximately $573,200 was moved on Polygon on May 22 after an old private key used for the platform’s internal operational wallet was compromised. ZachXBT was the first to alert about unusual fund flows related to a Polymarket admin address, before the company confirmed the incident did not stem from a contract exploit. Polymarket asserted that user funds remain safe, Polymarket and UMA contracts were not attacked, and the market resolution process was not affected.
Polymarket Confirms Internal Wallet Key Compromise
Polymarket Developers stated that the platform noted security reports related to rewards payouts, but asserted that user funds and the market resolution process were not affected. The project stated that current findings point to a compromised private key of a wallet used for internal operations, not a flaw in contracts or core infrastructure.
No polymarket or UMA contracts have been exploited. All user funds are safe, and using https://t.co/7bOD8pgjQC is safe, so business as usual.
We had a 6-year-old private key that was compromised. This was in the internal top-up config, which is why funds were being sent to it.…
— Josh (@devjoshstevens) May 22, 2026
Josh Stevens, Vice President of Engineering at Polymarket, later emphasized that no Polymarket or UMA contracts were attacked. He said the compromised private key had existed for about 6 years and was within an internal configuration used to replenish the system, causing funds to continue being sent to the related address while the incident was ongoing.
ZachXBT Flagged the Admin Address
The initial warning came from ZachXBT in his Telegram channel, when he stated that a Polymarket admin address on Polygon appeared to have been compromised. At that time, ZachXBT estimated that over $520,000 had been withdrawn and disclosed that the attacker’s wallet started with 0x8F98.
Warning post in the channel. Source: ZachXBT
Lookonchain later cited this warning along with Arkham data and provided an initial estimate of over $660,000 withdrawn. The initial on-chain alerts caused the incident to be viewed as a contract exploit, before Polymarket confirmed the issue came from the private key of the internal operational wallet.
$164K Frozen After $573.2K Was Moved
In a subsequent update, Stevens stated that Polymarket collaborated with ZachXBT, BitcoinVN, and ChangeNOW to freeze $164,000 of the funds moved from the compromised private key. This figure is equivalent to approximately 28.6% of the amount Polymarket confirmed was moved.
With @zachxbt leading the effort alongside @Bitcoin_Vietnam and @ChangeNOW_io, we managed to freeze $164,000 of the $573,200 in funds transferred from the compromised private key.
Really was a team effort, and it was amazing how quickly everyone reacted. Thanks to everyone who… https://t.co/LW2pHZuFG7
— Josh (@devjoshstevens) May 22, 2026
The figure published by Stevens is lower than the initial estimate of over $660,000 from Lookonchain, but higher than the level of over $520,000 stated by ZachXBT in the first warning. These levels were provided at different times during the on-chain community’s tracking of the fund flows.
Polymarket Rotates Key After Compromise
Following the incident, Stevens stated that Polymarket rotated the affected private key, revoked all associated production access, and will move private key management to KMS. These moves were made after the platform determined the incident stemmed from an old key within internal operational processes, rather than a contract flaw.
The move to KMS marks a change in how Polymarket manages keys after the incident. For crypto platforms, private keys tied to operational wallets or admin rights can become major risk points if they remain in automated flows after many years. In this case, Polymarket said associated production rights have been revoked, but has not yet stated the prior scope of authority of the affected wallet.
On the same day, Polymarket Developers also announced a scheduled maintenance, during which trading was paused for about 5-10 minutes and shifted to post-only mode for 2 minutes after restarting. The project later stated that the maintenance was completed and trading returned to normal, but did not clarify whether this maintenance was directly related to the private key incident.
What Polymarket Has Yet to Disclose
It currently remains unclear how the private key was compromised, what scope of access this internal operational wallet held, and whether Polymarket can recover any further portion of the assets beyond the frozen amount. Polymarket has also not clarified whether the move to KMS will apply to all operational keys or only the group of keys related to this specific incident.
A full postmortem, if published, could clarify which operational flow the affected wallet was in, why a key existing for many years was still being used, and how new control measures will change internal processes.
