An attacker drained roughly $700,000 in POL tokens from an internal Polymarket operations wallet on May 22, 2026, after obtaining a private key to a six-year-old admin address on the Polygon blockchain — the same day Congress formally opened an insider-trading investigation into the prediction market platform.
On-chain investigator ZachXBT flagged the suspicious activity first, identifying addresses connected to Polymarket's UMA CTF Adapter infrastructure as the source of the outflows. On-chain analytics platforms Bubblemaps and Lookonchain followed with their own analysis, raising the estimated loss from an initial figure of approximately $520,000 to a range of $600,000–$700,000 in POL. The attacker extracted funds at a rate of around 5,000 POL every 30 seconds before the drain stopped, with the stolen tokens split across at least 15 wallet addresses and routed through centralized exchanges and other services, according to Bubblemaps.
Polymarket developer Shantikiran Chanal issued a statement confirming the incident and drawing a clear line around its scope. "A private key compromise of a wallet used for internal operations — not contracts or core infrastructure," Chanal wrote. He said the platform was "aware of the security reports linked to rewards payout" and confirmed that user funds and market resolution — which runs through UMA's Optimistic Oracle — were unaffected. The UMA CTF Adapter contract itself was not exploited; the attacker controlled a wallet that had administrative access to it. "We have rotated this key, revoked all prod permissions and are moving all PKs to KMS keys from now on," Chanal added, confirming a shift to Key Management Service infrastructure for all private keys going forward.
The compromised wallet's age — reportedly six years old — is the detail that cuts deepest. A key that predates Polymarket's current scale had apparently remained in active use for internal top-up operations without being migrated to managed key infrastructure. That is the kind of maintenance gap that on-chain investigators and security researchers have flagged repeatedly across DeFi platforms.
The incident arrives at an uncomfortable moment for Polymarket. On the same day as the drain, House Oversight Committee Chair James Comer sent letters to Polymarket CEO Shayne Coplan and Kalshi demanding information on identity verification, geographic restriction enforcement, and records of suspicious trades tied to U.S. military operations in Venezuela and Iran. A May 11 letter from Democratic members of the committee cited a single trader who made nearly $1 million with a 93 percent success rate on wagers predicting unannounced U.S. and Israeli military strikes, and noted that Israeli authorities had separately indicted two individuals — including a military reservist — for placing bets using classified information. Congress is now weighing legislation that would ban government officials from trading on prediction markets.
Taken together, the two events on May 22 put Polymarket in a position it has not faced before: a security incident that, while contained, demonstrates operational vulnerabilities at the infrastructure level, landing simultaneously with formal congressional scrutiny over how the platform's trading data has been used. Neither problem threatens the platform's core function directly. Both raise questions about what institutional-grade controls look like for a platform that has become the dominant venue for real-money forecasting on geopolitical events.
The market resolution system was not disrupted. Prediction markets continued to settle normally through UMA's oracle.
Sources: Bitcoin.com (Shantikiran Chanal statement); Crypto Briefing (Bubblemaps drain analysis, 15 wallet splits, 5,000 POL/30s rate); CryptoTimes (drain mechanics, wallet addresses); CNBC / Roll Call (Comer congressional investigation, May 22, 2026); U.S. House Oversight Committee letter, May 11, 2026 (pappas.house.gov).