Polymarket Loses $700K in POL After Admin Key Compromised

Polymarket confirmed roughly $700,000 in its POL token was drained after a six-year-old internal admin wallet private key was compromised. The company stated user funds held in markets and core contracts were not affected.

Blockchain investigator ZachXBT flagged the activity on Friday, pointing to withdrawals from an admin address on the Polygon network. On-chain tracking showed attackers withdrawing about 5,000 POL every 30 seconds and splitting transfers across roughly 16 addresses, with some funds routed to centralized exchanges and other services.

Polymarket said the compromised key belonged to a wallet used for internal operations and payouts, not to smart contracts that handle user funds or market resolution. The team began rotating affected keys and launched an investigation to determine whether any internal credentials or secrets were exposed.

Josh Stevens, Polymarket’s vice president of engineering, wrote that the breached key had been in use for six years in an internal top-up configuration. He reported the key has been rotated, production permissions revoked, and that the firm will move backend private keys to a managed key management service (KMS).

A company representative, Shantikiran Chanal, wrote the platform was aware of reports linked to a rewards payout and reiterated that market resolution functions remained intact. Polymarket urged users that platform balances were secure and that using Polymarket.com was safe.

On-chain monitoring aided the response by tracking the cadence and destinations of withdrawals while the incident unfolded. Polymarket noted no UMA or platform contracts were exploited. The firm reported trading volumes above $9 billion in April. The internal investigation and key management changes are ongoing.