ZachXBT: Polyarb a fake prediction market that drains wallets

On May 4, 2026, on-chain investigator ZachXBT posted an alert saying Polyarb, a site presenting itself as a prediction market, is operating an active wallet drainer. The investigator warned that users who connect wallets to the site risk signing a malicious smart contract approval that would let attackers move funds.

ZachXBT described the technique used by the drainer: when a user connects a wallet and signs what appears to be a routine action, such as making a deposit, entering a market, or claiming tokens, the interaction triggers a separate, hidden approval. That hidden approval grants the attacker permission to transfer tokens from the user’s wallet. The post also noted the platform does not publish audited contract code.

The post flagged an amplification risk tied to replies from high-profile crypto accounts. When a prominent account replies to a Polyarb post, the platform appears in the replying account’s feed and reaches large audiences. Replies and critical comments do not label content as malicious for followers, so engagement by well-known accounts can increase the site’s visibility.

Security professionals have observed more fake decentralized finance and prediction market sites in 2026. Operators create look-alike interfaces that imitate legitimate services such as Polymarket and Kalshi while omitting third-party audits and regulatory disclosures. These copycat sites often use recently created social profiles and unverified contract addresses, raising questions about are prediction markets legal.

Earlier in May, ZachXBT publicized a separate matter showing a U.S. law firm had filed claims to seize $71 million in ether frozen after the April 2026 KelpDAO exploit, a case linked to the Lazarus Group. The Polyarb alert followed that disclosure.

To reduce risk, users should verify a platform’s smart contract address against official documentation before connecting a wallet and confirm the contract has a public audit by a reputable security firm. Red flags include no disclosed regulatory relationships, no public audits, and social accounts created shortly before claimed activity. If a suspicious interaction has occurred, users can revoke token approvals with services such as Revoke.cash. Using a hardware wallet instead of a browser-based hot wallet when interacting with unknown sites provides an additional safeguard because each transaction requires physical confirmation.

Wallet drainers depend on user approvals and signed messages. Checking contract addresses, avoiding unfamiliar links, not interacting with suspicious posts, revoking unexpected approvals and using hardware wallets are practical steps to limit exposure.