Around May 22, 2026, the on-chain prediction market platform Polymarket was forced to admit that the private key of an internal "operating wallet" had been leaked, allowing attackers to take over the address in a short period. According to on-chain analysis from Bubblemaps, the attacker moved assets from Polymarket's associated wallet in batches at a rate of approximately 5000 POL every 30 seconds, with the estimated scale of the theft around 600,000 dollars. The related funds were subsequently dispersed to multiple new addresses. After public opinion rapidly fermented, on-chain analysts and the community began to track these abnormal transfer paths, while Polymarket officials emphasized at the first instance that this was not a breach of the core contract or infrastructure, but rather a problem with the management of the operating side's private key. Polymarket staff member Shantikiran Chanal later stated that this incident did not affect user betting funds or the settlement process of the prediction market, and no confirmed cases of tampered settlement results had appeared in the current public information. However, on a platform that claims to be "trustless," when the operating wallet can be quietly drained in a matter of days, the issue is no longer about who will bear the cost of these 600,000 dollars but rather to what extent Polymarket's internal security shortcomings will undermine user trust in the entire system in the long run.

The Scene of the Theft: Operating Wallet Gradually Drained

The first visuals noted by on-chain monitoring were not large one-time transfers, but rather an address that was "slowly bleeding." According to Bubblemaps analysis, the Polymarket internal operating wallet that had its private key leaked started to exhibit high-frequency small transfers leading up to May 22, 2026: approximately every 30 seconds, around 5000 POL was transferred out, with the rhythm nearly uninterrupted, as if executing a pre-determined script for asset relocation. Individually, the transfers did not seem exaggerated, but on the timeline of the block explorer, these dense outgoing records quickly accumulated into a continuous red waterfall, with the assets of the operating wallet drained little by little over a few days.

The assets that were transferred out did not concentrate in one or two obvious "main wallets." According to on-chain analysts like ZachXBT, the related funds were dispersed into about 15 different addresses, exhibiting a deliberately distributed pattern, with some addresses having on-chain associations with the UMA CTF Adapter contract. However, this currently remains at the level of address correlation, and Polymarket officials have not disclosed more detailed technical information, nor explained the specific relationship of these addresses to their business logic. The only label provided publicly by the project team is defining the involved addresses as "internal operating wallets," and they repeatedly emphasized that this is separate from the funds pool where user betting funds are located and the settlement contract. However, in the absence of public daily usage explanations, this vague positioning itself becomes an uncertain factor that must be singled out when understanding the scope of the impacts from this theft.

Operating Wallet Breached but Not Impacting Users?

To comprehend the boundaries of this incident, one must first separate the "operating wallet" from "user betting funds and settlement contracts." After confirming the private key leak, Polymarket officials emphasized multiple times that this event only affected the "operating wallet," and the contract managing user betting funds remained independent of the market settlement process. According to chain on-chain analysis data from AiCoin, the stolen funds all originated from a single operating-side address, rather than being withdrawn from multiple user betting positions. Currently, there have also been no publicly known cases of the prediction market being tampered with or settlement results being altered, which provides the most direct on-chain evidence supporting the claim of "user fund security."

In other words, even if the private key of the operating wallet is completely exposed, the attacker, under the current structure, can "only" move assets hanging from that address and cannot touch the locked betting principal and settlement logic in the contracts. Polymarket's denial of vulnerabilities in the core contract and infrastructure supports this point. The problem is that this kind of "asset isolation" both objectively limits the scope of risk contagion and becomes the key grip for official emotion soothing while further exposing the single-point risks at the operational level: how many operational assets a string of private keys binds, what permissions they possess, whether there are multi-signatures or tiered permissions constraints — the project team has not disclosed this to date, leaving external parties to oscillate between trust and unease, and this operating wallet has become the most prominent weak link in Polymarket's trust structure.

On-Chain Detectives and the Game of Security Disclosure

The operating wallet became the weak link and a target for on-chain "detectives." On May 22, 2026, and days prior, ZachXBT was the first to alert on social media that suspicious transfers had occurred in Polymarket's related addresses: funds were being frequently split into small amounts from a wallet claimed to be used for operational purposes, continuously flowing to multiple new addresses. According to their analysis, these transferred assets were dispersed to about 15 different addresses, triggering strong speculation within the community about whether a real-time attack was underway. At this point, discussions about the nature of the incident and its impact were almost entirely based on publicly available on-chain data and independent analysts' interpretations rather than proactive disclosures from the project team.

Subsequently, Bubblemaps added a more systematic piece to the puzzle: they released an on-chain relationship map linking relevant addresses into a visual network, estimating the stolen amount to be around 600,000 dollars, and marking the on-chain connections between these addresses and the UMA CTF Adapter contract, while also showing how assets were being moved at a pace of approximately 5000 POL every 30 seconds. For ordinary users, this kind of "real-time visual pursuit" amplifies panic—numbers and arrows make the attack process seem within reach—while also forcing Polymarket officials to quickly provide an explanation. Ultimately, in the face of strong public pressure following external disclosures, Polymarket confirmed that the root cause was the leak of the internal operating wallet's private key, emphasizing the security of user funds and the prediction market settlement process, while denying vulnerabilities in the core contract. The time gap between on-chain analysts and official statements formed a new disclosure game: the project team no longer controlled the starting point of the narrative and could only strive to consolidate emotions and trust boundaries after the on-chain evidence had been publicly interpreted.

The Trust Red Line of Prediction Markets Has Been Touched

Polymarket truly entered the broader public eye during the 2024 U.S. election cycle with a series of election-related markets. For these users, the stakes are not just the results themselves, but also the platform's credibility in statistical results, rule enforcement, and the settlement process. Once this "trust asset" is established, it will be regarded as part of the pricing—odds can fluctuate, but the platform cannot be doubted at critical junctures.

Therefore, the security incident involving the leak of the internal operating wallet's private key occurring after Polymarket had already gained considerable recognition has a far greater impact than a similar incident affecting an obscure small project. Although the officials repeatedly emphasized that the prediction market settlement contract was unaffected and that no confirmed cases of user betting funds being lost had occurred, the approximately 600,000 dollars stolen on-chain still serves as a reminder to heavy users: this time, it was "only" the operating wallet at risk; whether the next time can be so fortunate remains uncertain. Prediction markets inherently involve event risks arising from regulatory uncertainties and result disputes, and now with an additional layer of uncertainty regarding platform operational security, this effectively increases the risk premium for participating in this market. Some users may recalculate their risk tolerance boundaries, and Polymarket must continue operating each future market on a more fragile trust basis.

What Can the Industry Do Before the Next Private Key Breach

From the present standpoint, observing Polymarket's next steps, it is more important to keep an eye on several concrete signals: whether it will provide a complete security review report in its promised "subsequent updates," explaining the technical link of this private key leak, how internal permissions were configured and breached, and whether there will be a simultaneous publication of the operating wallet structure and reward distribution process improvement plans, rather than just a brief assertion of "the issue has been resolved." For the larger DeFi and application ecosystem, the theft incident involving the operating wallet that occurred in May 2026 reaffirms an old issue: even if the core contract has been perfectly audited, as long as high-permission private keys are concentrated in the hands of a few, the operating wallet will repeatedly become a high-risk point. For ordinary users, when assessing a platform, contract security is no longer sufficient; they must also check whether the team discloses the boundaries of operating wallet responsibilities, permission splits, emergency plans, and transparency in handling historical events. For development teams, they must also incorporate operational security into design documents and treat "backend wallets" for reward distributions, cost management, etc., as part of the production system, pre-setting stop-loss and recovery paths in case private keys are compromised. What truly determines whether Polymarket can still be trusted will be whether it and the entire industry can treat this theft of the operating wallet as a starting point to rewrite operational security rules, rather than another forgotten accident.

Join our community, let’s discuss, and become stronger together!
On-chain Telegram community: https://t.me/AiCoinWhaleData
On-chain community: https://www.aicoin.com/link/chat?cid=N6OVMor5g
AiCoin on-chain Twitter: https://x.com/aicoinwhaledata
Exclusive Hyperliquid benefits from AiCoin: https://app.hyperliquid.xyz/join/AICOIN88
Exclusive Aster benefits from AiCoin: https://www.asterdex.com/zh-CN/referral/9C50e2

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。