Polymarket Suffers $520K Security Breach Due to Private Key Compromise Blockchain investigator ZachXBT has uncovered a suspected security breach targeting Polymarket, the largest decentralized prediction market platform. According to on-chain data, $520,000 was drained from two smart contracts on the Polygon blockchain on [date not specified]. The compromised addresses 0x871D7c0f9E19001fC01E04e6cdFa7fA20f929082 and 0x91430CaD2d3975766499717fA0D66A78D814E5c5 had funds transferred to the attacker’s address (0x8F98075db5d6C620e8D420A8c516E2F2059d9B91). Polymarket’s development team acknowledged the incident in an X (formerly Twitter) post, confirming awareness of reports tied to its rewards payout system. The company clarified that user funds and market resolutions remain unaffected, attributing the breach to a private key compromise of an internal operations wallet rather than a smart contract exploit or core infrastructure failure. Further updates are pending. Polygon Labs CTO Mudit Gupta weighed in, stating that Polymarket’s contracts and user funds are secure, though the platform’s market initializer was compromised. He emphasized that the incident had no direct impact on users or smart contracts. Polymarket has yet to release an official statement from its primary X account. The breach occurs amid increased scrutiny of decentralized finance (DeFi) platforms, highlighting ongoing security challenges in the sector.

Polymarket Denies Data Breach After Hacker Claims Theft of 300,000 Records Prediction markets platform Polymarket has refuted allegations of a data breach after a hacker, operating under the pseudonym xorcat, posted claims on the dark web that they had stolen over 300,000 records, including 10,000 unique user profiles containing full names, profile images, proxy wallets, and base addresses. The screenshots of the post, shared by cybersecurity firm Vecert Analyzer and dark web monitoring accounts on X (formerly Twitter), surfaced on Tuesday. Polymarket dismissed the claims as "complete and utter nonsense," asserting that the allegedly stolen data was already publicly accessible via its API endpoints and on-chain records. The platform emphasized that its transparency as a blockchain-based service means all data is auditable by design a feature, not a vulnerability. In a follow-up statement, Polymarket mocked the hacker’s attempt to monetize freely available information, questioning whether venture capital funding had backed the stunt. The hacker, however, argued that the data was obtained through undocumented API endpoints, pagination bypasses, and CORS misconfigurations in Polymarket’s Gamma and CLOB APIs. Xorcat also claimed to have breached other prediction markets and threatened to release additional data in the coming days. The motive, according to the hacker, was Polymarket’s lack of a bug bounty program though the platform has had an active program since April 16, receiving 446 reports as of Wednesday. Security experts have cast doubt on the breach claims. Vladimir S, Chief Security Officer at Legalblock, suggested the incident appeared to be a case of parsed public data being misrepresented as a database leak. The incident comes amid a surge in crypto-related exploits, with blockchain security firm Hacken reporting $482 million in losses across 44 Web3 incidents in Q1 2026. Polymarket’s denial highlights the ongoing tension between transparency in decentralized platforms and the risks of data exposure.

Cybercriminals Exploit Prediction Markets to Profit from Insider Knowledge Cybercrime has long revolved around monetizing unauthorized access from credit card theft to ransomware. Now, attackers are leveraging prediction markets like Kalshi and Polymarket to profit from foreknowledge of real-world events, turning future outcomes into tradable assets. These platforms allow users to bet on everything from corporate data breaches to regulatory decisions, but hackers are no longer just passive observers. By gaining early access to nonpublic information or manipulating systems, they can predict or even control the outcomes they bet on. ### How Attackers Could Game the System - Data Breach Betting: A hacker breaches a company, discovers an undisclosed incident, and places a bet on its public disclosure profiting when the breach is reported. - DeFi Exploits: An attacker identifies a vulnerability in a decentralized finance project, bets on its compromise, then executes the hack earning twice. - Regulatory Insider Trading: Similar to the EDGAR hack, attackers access embargoed corporate or government filings and bet on outcomes tied to that information. - Sensor Manipulation: In markets tied to physical data (e.g., temperature readings), hackers alter sensor feeds to skew results in their favor. - Oracle & Voting Exploits: In decentralized markets, attackers influence outcome-determining mechanisms (e.g., oracles or votes) to rig results. - Disinformation + Betting: Attackers take a position on a negative event (e.g., a company’s stock drop) and amplify false narratives to ensure the outcome. - Legal Filing Exploits: Early access to court documents (via systems like PACER) allows betting on lawsuit disclosures before they become public. - Ransomware + Market Manipulation: After breaching a company, attackers could bet on breach disclosures or operational disruptions, then adjust tactics (e.g., data leaks) to guarantee payouts. ### Why This Is Different While insider trading and market manipulation aren’t new, prediction markets introduce a financial layer where events themselves become tradable commodities. Existing laws such as data breach disclosure requirements can inadvertently create exploitable windows, giving attackers a predictable timeline to act. Though no major prosecutions have yet targeted this specific scheme, the building blocks are already in place. Cybercriminals have long stolen early information, manipulated systems, and profited from timing. Prediction markets simply connect these tactics into a new revenue stream. The core risk? These markets assume participants are passive predictors but attackers are anything but. With the ability to see behind the curtain or pull the strings, betting on the future becomes a far more dangerous game.