Polymarket said that roughly $573,200 was moved on Polygon on Might 22 after an previous non-public key used for the platform’s inside operational pockets was compromised. ZachXBT was the primary to alert about uncommon fund flows associated to a Polymarket admin tackle, earlier than the corporate confirmed the incident didn’t stem from a contract exploit. Polymarket asserted that person funds stay protected, Polymarket and UMA contracts weren’t attacked, and the market decision course of was not affected.
Polymarket Confirms Inside Pockets Key Compromise
Polymarket Builders said that the platform famous safety studies associated to rewards payouts, however asserted that person funds and the market decision course of weren’t affected. The venture said that present findings level to a compromised non-public key of a pockets used for inside operations, not a flaw in contracts or core infrastructure.
No polymarket or UMA contracts have been exploited. All person funds are protected, and utilizing https://t.co/7bOD8pgjQC is protected, so enterprise as standard.
We had a 6-year-old non-public key that was compromised. This was within the inside top-up config, which is why funds had been being despatched to it.…
— Josh (@devjoshstevens) Might 22, 2026
Josh Stevens, Vice President of Engineering at Polymarket, later emphasised that no Polymarket or UMA contracts had been attacked. He stated the compromised non-public key had existed for about 6 years and was inside an inside configuration used to replenish the system, inflicting funds to proceed being despatched to the associated tackle whereas the incident was ongoing.
ZachXBT Flagged the Admin Tackle
The preliminary warning got here from ZachXBT in his Telegram channel, when he said {that a} Polymarket admin tackle on Polygon appeared to have been compromised. At the moment, ZachXBT estimated that over $520,000 had been withdrawn and disclosed that the attacker’s pockets began with 0x8F98.
Warning put up within the channel. Supply: ZachXBT
Lookonchain later cited this warning together with Arkham information and offered an preliminary estimate of over $660,000 withdrawn. The preliminary on-chain alerts triggered the incident to be considered as a contract exploit, earlier than Polymarket confirmed the problem got here from the non-public key of the inner operational pockets.
$164K Frozen After $573.2K Was Moved
In a subsequent replace, Stevens said that Polymarket collaborated with ZachXBT, BitcoinVN, and ChangeNOW to freeze $164,000 of the funds moved from the compromised non-public key. This determine is equal to roughly 28.6% of the quantity Polymarket confirmed was moved.
With @zachxbt main the hassle alongside @Bitcoin_Vietnam and @ChangeNOW_io, we managed to freeze $164,000 of the $573,200 in funds transferred from the compromised non-public key.
Actually was a group effort, and it was superb how rapidly everybody reacted. Due to everybody who… https://t.co/LW2pHZuFG7
— Josh (@devjoshstevens) Might 22, 2026
The determine revealed by Stevens is decrease than the preliminary estimate of over $660,000 from Lookonchain, however increased than the extent of over $520,000 said by ZachXBT within the first warning. These ranges had been offered at totally different instances through the on-chain group’s monitoring of the fund flows.
Polymarket Rotates Key After Compromise
Following the incident, Stevens said that Polymarket rotated the affected non-public key, revoked all related manufacturing entry, and can transfer non-public key administration to KMS. These strikes had been made after the platform decided the incident stemmed from an previous key inside inside operational processes, reasonably than a contract flaw.
The transfer to KMS marks a change in how Polymarket manages keys after the incident. For crypto platforms, non-public keys tied to operational wallets or admin rights can develop into main danger factors if they continue to be in automated flows after a few years. On this case, Polymarket stated related manufacturing rights have been revoked, however has not but said the prior scope of authority of the affected pockets.
On the identical day, Polymarket Builders additionally introduced a scheduled upkeep, throughout which buying and selling was paused for about 5-10 minutes and shifted to post-only mode for two minutes after restarting. The venture later said that the upkeep was accomplished and buying and selling returned to regular, however didn’t make clear whether or not this upkeep was immediately associated to the non-public key incident.
What Polymarket Has But to Disclose
It presently stays unclear how the non-public key was compromised, what scope of entry this inside operational pockets held, and whether or not Polymarket can recuperate any additional portion of the belongings past the frozen quantity. Polymarket has additionally not clarified whether or not the transfer to KMS will apply to all operational keys or solely the group of keys associated to this particular incident.
A full postmortem, if revealed, might make clear which operational circulate the affected pockets was in, why a key current for a few years was nonetheless getting used, and the way new management measures will change inside processes.
